Someone paid six figures on Flippa for 30 WordPress plugins. His very first SVN commit planted a PHP backdoor disguised as a compatibility check. Then he waited eight months before firing it.
The C2 server resolved through an Ethereum smart contract, which made traditional domain takedowns useless. WordPress.org force-closed all 31 plugins in a single day. Flippa had published a case study celebrating the sale before any of this happened.
In today’s indie hacker news:
- WordPress supply chain attack: 30 plugins, one backdoor, 8 months dormant
- GitHub ships native stacked PRs, 3 years after Graphite raised $72M for it
- DaVinci Resolve 21 adds free photo editing with Lightroom catalog import
- OpenClaw hit 250K stars in 60 days. 20% of its skills were malware.
- Servo 0.1.0: Rust embeddable browser engine ships its first LTS
TOP STORIES
TRUST IS A DISTRIBUTION CHANNEL
He bought 30 WordPress plugins on Flippa and planted a backdoor in every one
A buyer known only as “Kris” purchased the entire Essential Plugin portfolio via Flippa for six figures in early 2025. Background: SEO, crypto, and online gambling marketing.
His first SVN commit was the attack. Version 2.6.7, released August 8, 2025, added 191 lines of malicious code. The changelog read: “Check compatibility with WordPress version 6.8.2.” Eight months later, on April 5-6, 2026, the payload fired. Attack window: 6 hours 44 minutes.
The details:
- 31 plugins permanently closed by WordPress.org on April 7, 2026
- C2 domain resolved via Ethereum smart contract, blocking domain takedowns
- 22 confirmed compromised sites in the discovering author’s managed fleet alone
- Second buy-and-backdoor attack in two weeks (Widget Logic was first)
Why builders care: If you’ve built a plugin or open-source library with real installs, you’ve created a distribution asset a bad actor can buy. WordPress.org had no mechanism to review ownership transfers. Neither do npm, PyPI, or RubyGems. Flippa celebrated this exact sale as a success story.
Work from any WiFi like it's your home network. NordVPN's Meshnet runs a free private mesh between your laptop, dev box, and home server. SSH from a café without exposing a port, the way you'd use Tailscale. The paid VPN on top lets you test geo-fenced Stripe checkouts or feature flags from any country.
We get a cut if you sign up. Only added for tools we use ourselves.
PLATFORM ATE YOUR STARTUP
GitHub ships native stacked PRs, three years after Graphite raised $72M to build them
GitHub launched gh-stack as an official CLI extension for stacked pull requests in private preview. gh stack submit creates a chain of PRs where each targets the branch below it. One command rebases and syncs everything.
Graphite raised $72M total (including a $52M Series B at a $290M valuation) building this exact feature. Hit $5.3M ARR, 20x YoY growth. Cursor acquired them in December 2025. Four months later, GitHub ships it natively.
The details:
- Waitlist at gh.io/stacksbeta, Q2 2026 roadmap
- AI agent integration built in:
npx skills add github/gh-stack - Shopify saw 33% more PRs merged per developer with stacked workflows
- AI-heavy teams merge 98% more PRs, but review time jumps 91%
Why builders care: Stacked PRs fix the AI code review bottleneck. Instead of one 800-line monster PR, you ship 4 tight PRs. GitHub’s native version removes the “convince your team to adopt Graphite” friction. No new platform, no $32/user/month.
HOLLYWOOD GOES AFTER LIGHTROOM
DaVinci Resolve 21 adds a free photo editor that imports your Lightroom catalog
Blackmagic unveiled DaVinci Resolve 21 at NAB 2026 with a new Photo page. Hollywood’s node-based color grading tools now handle still photography. RAW support for Canon, Fuji, Nikon, Sony, and iPhone ProRAW. Tethered shooting. Up to 32K resolution.
All core Photo features are free. The $295 Studio license (one-time) adds AI tools. Adobe’s Photography Plan costs $240/year. Break-even: under 15 months.
The details:
- Lightroom catalog import built in (the migration bridge)
- 5.47 million Resolve users as of 2023, up from ~1M in 2020
- 8 new AI tools including CineFocus and AI UltraSharpen
- Public beta available now as a free download
Why builders care: Blackmagic killed markets for broadcast switchers and cinema cameras by making prosumer versions free. Now they’re targeting Adobe’s subscription lock-in with a free tool that imports your existing catalog. If you build presets, LUTs, or photo editing tools, the platform bet just changed.
VIRAL FASTER THAN SECURE
OpenClaw hit 250K GitHub stars in 60 days. One in five skills was malware.
OpenClaw went from 0 to 250K+ GitHub stars in ~60 days, surpassing React’s 10-year record. Peter Steinberger built it as a solo experiment. It went viral faster than he could secure it.
Bitdefender found 824-1,184 malicious skills in ClawHub (OpenClaw’s skill registry), roughly 20% of the catalog. The ClawHavoc campaign deployed AMOS (Atomic macOS Stealer) to exfiltrate crypto wallets, SSH keys, and browser passwords. One threat actor alone uploaded 354 malicious packages.
The details:
- 135,000 internet-exposed instances across 82 countries, no auth required
- 138 CVEs tracked, including CVE-2026-32922 (CVSS 9.9, privilege escalation)
- AMOS installed backdoored Ledger Live and Trezor Suite
- Steinberger was “close to deleting the project” before joining OpenAI
Why builders care: If you ship any kind of plugin marketplace, this is your cautionary tale. ClawHub had no code signing, no author verification, and no scanning at launch. 20% became weapons within weeks. Build the security before the virality.
TRENDING TODAY
🔥 Sam Altman’s home shot at for second time in three days - Two arrested for negligent discharge after a drive-by at Altman’s SF home. Follows the Molotov attack we covered in Edition #10. That suspect had an anti-AI CEO hit list. No confirmed connection between the two. 266 upvotes on r/ChatGPT.
👾 Elephant-Alpha: stealth 100B model drops free on OpenRouter - Mystery 100B model appeared on OpenRouter. 256K context, 32K output, $0/M tokens during preview. From “a prominent open model lab” but nobody knows which. No benchmarks. 182 upvotes on r/LocalLLaMA.
🚫 Anti-vibe-coding backlash erupts on r/LocalLLaMA - “Please stop using AI for posts and showcasing your completely vibe coded projects.” 288 upvotes, 123 comments. r/programming banned AI LLM content outright. Technical communities are enforcing quality floors.
FIRST DOLLAR
SCRATCH YOUR OWN ITCH, GET 45 CLIENTS
Built a tool for my own brand, friends started paying - Built it for themselves. Friends noticed. Word of mouth to 45 paying clients, zero ad spend. r/microsaas loved it (42 upvotes).
STACK OF THE DAY
🧰 Servo 0.1.0 - Embeddable browser rendering in Rust, first LTS release on crates.io. ServoBuilder and WebView APIs position it as a real alternative to Chromium Embedded Framework. Free, open source. 438 HN points.
Not sponsored. We just feature tools builders would actually use.
BOOKMARKED TODAY
🎲 Nothing Ever Happens - Python bot that buys “No” on every non-sports Polymarket prediction. Reasoning: 73.4% resolve as No. Stop overthinking it. 371 HN points.
🔍 Lean proved this program correct; then I found a bug - Formal verification promised correctness. Reality disagreed. The gap between mathematical proof and actual software behavior. 142 HN points.
☁️ Building a CLI for all of Cloudflare - Unified CLI for Cloudflare’s entire product surface. Local explorer, multi-service management. 276 HN points.
Curated by AI, built by a human.