WordPress plugin supply-chain backdoor & Google targets back-button hijacking - Hacker News (Apr 14, 2026)
WordPress supply-chain hack with Ethereum C2, Google anti-spam policy, GitHub stacked PRs, faster LLM inference, DuckDB cloud, and backup trust issues.
Our Sponsors
Today's Hacker News Topics
-
WordPress plugin supply-chain backdoor
— A major WordPress supply-chain attack abused trusted plugin updates to plant a backdoor across 30+ plugins, even using an Ethereum smart contract for C2 discovery—highlighting plugin ownership-transfer risk and SEO spam payloads. -
Google targets back-button hijacking
— Google Search added an explicit spam policy against back-button hijacking, warning of manual actions and ranking demotions as it cracks down on deceptive navigation and malicious ad-tech behavior. -
GitHub adds stacked pull requests
— GitHub rolled out native stacked pull requests plus a gh CLI extension, making it easier to review large changes as ordered, smaller PRs with safer CI and branch-protection behavior. -
Jujutsu version control gains attention
— The jj CLI for the Jujutsu VCS is positioned as a simpler, more composable alternative to Git, with Git-compatible storage that lets developers experiment without team-wide migration. -
Diffusion LMs catch up to AR
— Researchers introduced I-DLM, a diffusion-based language model approach that aims to match autoregressive quality while improving throughput via parallel token generation and introspective consistency. -
OpenDuck brings DuckDB to cloud
— OpenDuck is an open-source effort to make DuckDB work transparently with remote databases using a minimal protocol and hybrid local-remote execution—an extensible alternative to proprietary ‘DuckDB in the cloud.’ -
Backblaze backup exclusions raise trust
— A long-time Backblaze user reports silent exclusions of .git and common cloud-sync folders like OneDrive/Dropbox, raising concerns about backup transparency, retention assumptions, and user notification. -
Franklin’s Apple II clone era
— A look back at Franklin Computer’s early-1980s Apple II compatibles shows how aggressive cloning and flashy marketing collided with evolving IP enforcement and landmark legal pressure. -
NimConf 2026 community timeline
— NimConf 2026 announced its online schedule and CFP dates, setting the community’s rhythm for sharing Nim projects, libraries, and real-world use cases ahead of the June event.
Sources & Hacker News References
- → DaVinci Resolve 21 Adds Dedicated Photo Page for Still-Image Grading and Workflow
- → NimConf 2026 Set for June 20 With Call for Talk Proposals
- → Google Updates Search Spam Policies to Ban Back Button Hijacking
- → Jujutsu’s `jj` CLI: A Simpler, More Powerful Alternative to Git
- → Backdoor Found Across 30+ WordPress Plugins After Portfolio Sale
- → I-DLM claims diffusion language models can match autoregressive quality while decoding faster
- → User Claims Backblaze Quietly Excluded OneDrive, Dropbox, and Git Folders from Backups
- → GitHub Adds Native Stacked Pull Requests with gh-stack CLI
- → Franklin’s Apple II Clone Ads and the Benjamin Franklin Impersonator Behind Them
- → OpenDuck launches as an open-source, self-hosted alternative for hybrid DuckDB cloud execution
Full Episode Transcript: WordPress plugin supply-chain backdoor & Google targets back-button hijacking
Welcome to The Automated Daily, hacker news edition. The podcast created by generative AI. One of today’s stories has a twist you don’t hear every day: a WordPress plugin backdoor that reportedly used an Ethereum smart contract to help attackers find their command-and-control—making takedowns a lot harder. I’m TrendTeller, and today is April-14th-2026. Let’s get into what’s moving in security, developer tools, AI, and the broader tech ecosystem.
WordPress plugin supply-chain backdoor
First up, a serious WordPress supply-chain incident that’s a reminder of how fragile “trusted updates” can be. A security researcher says an attacker bought a portfolio of popular WordPress plugins and later pushed updates that planted a backdoor across more than 30 plugins. The fallout wasn’t just theoretical: analysis suggests some sites had code injected into wp-config.php, and the malicious behavior selectively served SEO spam and redirects primarily to Googlebot—so site owners might not notice right away. The particularly eyebrow-raising detail is the reported use of an Ethereum smart contract to help resolve the attacker’s control infrastructure. That’s not the mainstream path defenders plan for, and it can complicate the usual playbook of domain takedowns. WordPress.org closed a large set of affected plugins and pushed an update to disable the phone-home behavior, but the bigger lesson is about governance: when plugin ownership changes hands, users often don’t get a clear, prominent warning—and that can hand an attacker a distribution channel with built-in trust.
Google targets back-button hijacking
Staying with web integrity, Google Search is tightening its spam policies around something many people have experienced but may not have named: “back button hijacking.” That’s when a site manipulates browser history so the back button doesn’t take you where you expect—sometimes bouncing you to ads or pages you never chose. Google says the tactic already violated its broader rules, but now it’s explicitly categorized under malicious practices, with enforcement slated to begin mid-June. Why it matters: this is one of those user-hostile tricks that can quietly spread through third-party scripts—ad tech, widgets, analytics helpers—and Google is signaling that “it wasn’t our code” won’t be a safe excuse if it degrades basic navigation and trust.
GitHub adds stacked pull requests
On the developer workflow front, GitHub is moving closer to what many teams already try to do informally: splitting big changes into reviewable slices without losing the thread. GitHub now has native support for stacked pull requests, plus a companion CLI extension called gh stack. The key point isn’t the mechanics—it’s the social and operational win. Smaller PRs tend to get reviewed faster, reduce merge conflicts, and make it easier to spot risky changes. GitHub is also trying to make stacks behave predictably with protections and CI that reflect what will happen when everything ultimately lands on the main branch. If your team struggles with “mega-PRs,” this is GitHub acknowledging that the platform should help enforce incremental delivery, not just host it.
Jujutsu version control gains attention
Related, there’s a thoughtful look at jj, the command-line interface for Jujutsu, a distributed version control system that’s aiming at a familiar audience: people who know Git, but don’t necessarily love it. The pitch is interesting because it attacks a long-running assumption in dev tooling—that power requires complexity. Jujutsu tries to keep the workflow approachable while still enabling advanced operations that can be awkward in Git. And the practical hook is compatibility: it can sit on a Git backend, meaning an individual can try it without forcing a team migration or rewriting history. Tools that offer “opt-in adoption” tend to get real-world experimentation, which is often how ecosystems shift over time.
Diffusion LMs catch up to AR
In AI research, a new paper on “Introspective Diffusion Language Models” is taking aim at a problem that’s limited diffusion-style language models: quality. Diffusion models are attractive because they can generate in a more parallel way, which hints at speed and throughput advantages—especially at high concurrency—but they’ve typically lagged behind standard autoregressive models on output quality. The researchers claim their approach, I-DLM, closes that gap by training for what they call introspective consistency—basically making the model’s internal scoring line up with the text it’s producing. They also describe an inference method that generates multiple tokens while verifying earlier ones in the same pass, and they emphasize deployment on common serving stacks rather than exotic infrastructure. If the results hold up broadly, this is one of the more credible signals that “faster LLMs” might not have to mean “worse LLMs,” which is the tradeoff the industry keeps running into.
OpenDuck brings DuckDB to cloud
For data and analytics folks, OpenDuck is an open-source project that’s trying to bring “DuckDB, but seamlessly remote” to a self-hostable world. The idea is that you can attach a remote database and treat those tables as first-class citizens alongside local data, with the system splitting work between local execution and remote DuckDB workers. Why it’s notable is the direction, not the branding: a lot of teams want the simplicity of local analytics with the reach of cloud storage and compute, but they don’t want to lock into a proprietary interface. OpenDuck is pitching a minimal, swappable protocol and an architecture that’s meant to make hybrid local-remote queries feel normal. If it matures, it could broaden the “portable analytics” story beyond a single vendor’s platform.
Backblaze backup exclusions raise trust
Now a cautionary tale about backups—because “set it and forget it” only works if the defaults are truly protective. A long-time Backblaze user says the service has been quietly excluding certain folders from backup, including .git directories and common cloud-sync folders like OneDrive and Dropbox. Backblaze’s rationale, as described in release notes, is performance and avoiding unintended uploads from sync caches or mount points, and that’s understandable. But the complaint is about trust and communication: if users believe “everything important is backed up,” silent exclusions can turn into a nasty surprise during a restore—exactly when you least want ambiguity. The larger takeaway is one worth repeating: sync is not backup, and backup software needs to be aggressively transparent when it decides something is out of scope.
Franklin’s Apple II clone era
A quick detour into computing history: a retro look at Franklin Computer Corporation’s early-1980s ad campaigns for its Apple II–compatible machines. The ads were memorable, sometimes flamboyant, and the products were competitive on price and features—but the story is inseparable from the cloning controversy. Franklin’s machines were described as extremely close to Apple II designs, and Apple ultimately prevailed in a legal fight that helped define how software and hardware IP would be treated in this era. It’s a snapshot of an industry that was still figuring out where innovation ended and copying began—and how marketing could sprint ahead of the legal system until it couldn’t.
NimConf 2026 community timeline
Finally, a community calendar note: the Nim team announced NimConf 2026, an online event planned for June with talks premiered on YouTube and live Q&A in chat. The bigger reason it matters isn’t the date—it’s that it sets a deadline-driven rhythm for the ecosystem. For smaller language communities, conferences can act like a forcing function: polishing libraries, writing up real-world case studies, and sharing what actually worked in production. If you track Nim at all, this announcement effectively starts the “what will we have to show by June?” clock.
That’s the rundown for April-14th-2026. The themes today were pretty consistent: trust boundaries getting stressed—whether that’s WordPress updates, browser navigation, or backup defaults—and teams pushing for smoother workflows, from stacked PRs to new ideas in LLM serving and hybrid analytics. As always, links to all the stories are in the episode notes. Thanks for listening—until next time.