Bad actors are abusing leaked and compromised credentials to install the fake core-stab plugin and other items on WordPress sites.
Fake plugin wave affecting WordPress sites — Jetpack
Some of my behind-the-scenes work at Automattic was featured in a recent Jetpack & WPScan blog post.
The WPScan version of the post includes a bit more about the malware, indicators, as well as Yara & ModSec rules.
Read more on Jetpack.com and WPScan.com.
While you’re on Jetpack.com, you might find other articles about some of my random work — such as The School Management plugin backdoor disclosure.