When plugins turn hostile and old laws fall: today’s security and policy beats

WordPress plugins weaponized at scale, GitHub adds stacked PRs, Google targets back-button hijacks, Backblaze changes, and a court frees home distilling — quick reads and two deep dives.

Editorial: Two themes today: trust — in code, marketplaces, and vendors — and the institutions that police that trust. A mass WordPress supply‑chain hack shows how quickly trusted software can be abused. A federal court decision about a 158‑year‑old distilling ban asks who gets to make the rules inside our homes.

In Brief

GitHub launches native stacked PRs

Why this matters now: GitHub’s new stacked-PR workflow gives developers a built-in way to break large changes into ordered, reviewable layers that can be landed together, changing how teams handle big refactors and monorepo work.

GitHub announced native support for stacked pull requests, including a visual stack map, CI that evaluates each layer as if targeting the final branch, and a gh stack CLI to create and rebase stacks from the terminal. The feature formalizes a workflow many teams already use and promises to reduce review overload on large diffs — reviewers can focus on one focused change at a time while merges keep the stack coherent. Expect debate about whether this encourages longer‑lived branches; reviewers asked for tighter per-commit UIs and interdiffs, but the core ergonomics look useful for big-change workflows.

Google adds a spam policy around back‑button hijacking

Why this matters now: Google’s explicit ban on scripts that block or hijack the browser Back button could affect search visibility and force audits of third‑party libraries and single‑page app routing code.

Google’s Search team published a new policy against “back button hijacking” — scripts that replace history entries or push users back into feeds or deceptive pages — with site owners given until June 15, 2026 to remove offending code (Google post). The policy targets dark patterns that trap users, but implementing it will require engineers to distinguish legitimate SPA routing from deceptive behaviors; community threads note common offenders include ad libraries or overzealous history.replaceState usage.

Backblaze quietly excludes cloud‑sync folders from backup

Why this matters now: Backblaze customers who assumed “everything on disk” was protected should audit their backups now — OneDrive, Dropbox, and some special folders may be excluded.

A long-time Backblaze user reports the client now excludes popular cloud storage folders (OneDrive, Dropbox) and .git directories by default, a change buried in release notes and not clearly communicated to customers (post). Backups of synced folders can give a false sense of safety; if you rely on Backblaze for restores, check your exclusions and retention settings because synced services are not a substitute for versioned backups.

Deep Dive

Someone bought 30 WordPress plugins and planted a backdoor in all of them

Why this matters now: WordPress site operators and plugin marketplace watchers must assume attacker-controlled ownership changes can weaponize trusted plugins at scale — audit plugin slugs and check wp-config.php today.

A researcher found that a single buyer acquired a portfolio of 31 WordPress plugins on a marketplace and added a PHP deserialization backdoor in August 2025 that lay dormant until April 2026, when a malicious module used the plugin’s analytics component to pull a staged payload and inject a large backdoor into wp-config.php on infected sites (report). The injected code selectively served SEO spam to Googlebot, keeping visitor-facing pages mostly normal while poisoning search indexing.

"It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints."

That sentence matters: the attackers used an on‑chain lookup to resolve their command‑and‑control endpoint. In plain terms, instead of hardcoding a server domain, the malware queried a smart contract’s data via public JSON‑RPC calls to get the current C2 host. That design makes traditional domain takedowns far less reliable because the attacker can change the returned domain and there's no single DNS record to seize.

A brief technical aside: PHP deserialization vulnerabilities let attackers turn untrusted serialized input into live PHP objects and, when misused, execute arbitrary code during object reconstruction. Combined with marketplace-driven ownership changes, the playbook is straightforward and effective: buy trust, ship a small update with a latent backdoor, wait, then flip the switch.

WordPress.org forcibly removed the 31 affected plugins and pushed an auto‑update that neutered phone‑home behavior, but the researcher warns the injected wp-config.php remained on many installs and continued serving spam; they published cleaned plugin zips and a list of plugin slugs to hunt for. Practically: run vendor change monitoring on installed plugins, scan for the listed slugs, and search for unexpected ~6KB injections in wp-config.php and other core files. If you host WordPress sites, treat marketplace transfers as a root‑level risk and add file integrity checks to your incident response playbook.

US appeals court declares 158‑year‑old home distilling ban unconstitutional

Why this matters now: Hobby distillers, federal regulators, and constitutional watchers must watch the next appeal — the 5th Circuit’s ruling narrows one avenue for federal criminalization of in‑home activity.

A three‑judge panel of the 5th Circuit struck down an 1868 federal ban on home distilling, siding with the Hobby Distillers Association and individual hobbyists and calling the law “an unnecessary and improper means for Congress to exercise its power to tax” (report). Judge Edith Hollan Jones wrote the prohibition reduced tax revenue and overreached federal taxing authority.

"an unnecessary and improper means for Congress to exercise its power to tax"

Legally, the opinion is notable not solely for alcohol policy but for its constitutional framing: the court rejected using taxing power as a backdoor to criminalize ordinary home activity. Commenters and scholars immediately compared the ruling against Commerce Clause precedents like Wickard v. Filburn and Gonzales v. Raich and noted the government largely waived a Commerce Clause defense on appeal — a tactical choice that could limit the administration’s arguments at higher courts.

For hobbyists: this does not mean home distilling is free of regulation overnight. States retain their own laws, safety rules and licensing, and the decision is likely to be appealed to the Supreme Court. Public‑safety concerns also matter; distillation carries real risks from fire and methanol contamination. The broader takeaway is institutional: the ruling is a test case on how far Congress can reach into private conduct via tax and regulatory schemes, and it could influence debates from drug policy to home workshops.

Closing Thought

Trust is a fragile compound: vendors, marketplaces, and courts all help determine how much trust we can reasonably place in software, services, and laws. This week’s stories remind builders to assume compromise (monitor ownership, verify files, and segment trust) and remind citizens that old statutes can linger long after their policy rationale has faded.