WordPress plugin supply-chain backdoor & Google targets back-button hijacking - Hacker News (Apr 14, 2026)

First up, a serious WordPress supply-chain incident that’s a reminder of how fragile “trusted updates” can be. A security researcher says an attacker bought a portfolio of popular WordPress plugins and later pushed updates that planted a backdoor across more than 30 plugins. The fallout wasn’t just theoretical: analysis suggests some sites had code injected into wp-config.php, and the malicious behavior selectively served SEO spam and redirects primarily to Googlebot—so site owners might not notice right away. The particularly eyebrow-raising detail is the reported use of an Ethereum smart contract to help resolve the attacker’s control infrastructure. That’s not the mainstream path defenders plan for, and it can complicate the usual playbook of domain takedowns. WordPress.org closed a large set of affected plugins and pushed an update to disable the phone-home behavior, but the bigger lesson is about governance: when plugin ownership changes hands, users often don’t get a clear, prominent warning—and that can hand an attacker a distribution channel with built-in trust.

Staying with web integrity, Google Search is tightening its spam policies around something many people have experienced but may not have named: “back button hijacking.” That’s when a site manipulates browser history so the back button doesn’t take you where you expect—sometimes bouncing you to ads or pages you never chose. Google says the tactic already violated its broader rules, but now it’s explicitly categorized under malicious practices, with enforcement slated to begin mid-June. Why it matters: this is one of those user-hostile tricks that can quietly spread through third-party scripts—ad tech, widgets, analytics helpers—and Google is signaling that “it wasn’t our code” won’t be a safe excuse if it degrades basic navigation and trust.

On the developer workflow front, GitHub is moving closer to what many teams already try to do informally: splitting big changes into reviewable slices without losing the thread. GitHub now has native support for stacked pull requests, plus a companion CLI extension called gh stack. The key point isn’t the mechanics—it’s the social and operational win. Smaller PRs tend to get reviewed faster, reduce merge conflicts, and make it easier to spot risky changes. GitHub is also trying to make stacks behave predictably with protections and CI that reflect what will happen when everything ultimately lands on the main branch. If your team struggles with “mega-PRs,” this is GitHub acknowledging that the platform should help enforce incremental delivery, not just host it.

Related, there’s a thoughtful look at jj, the command-line interface for Jujutsu, a distributed version control system that’s aiming at a familiar audience: people who know Git, but don’t necessarily love it. The pitch is interesting because it attacks a long-running assumption in dev tooling—that power requires complexity. Jujutsu tries to keep the workflow approachable while still enabling advanced operations that can be awkward in Git. And the practical hook is compatibility: it can sit on a Git backend, meaning an individual can try it without forcing a team migration or rewriting history. Tools that offer “opt-in adoption” tend to get real-world experimentation, which is often how ecosystems shift over time.

In AI research, a new paper on “Introspective Diffusion Language Models” is taking aim at a problem that’s limited diffusion-style language models: quality. Diffusion models are attractive because they can generate in a more parallel way, which hints at speed and throughput advantages—especially at high concurrency—but they’ve typically lagged behind standard autoregressive models on output quality. The researchers claim their approach, I-DLM, closes that gap by training for what they call introspective consistency—basically making the model’s internal scoring line up with the text it’s producing. They also describe an inference method that generates multiple tokens while verifying earlier ones in the same pass, and they emphasize deployment on common serving stacks rather than exotic infrastructure. If the results hold up broadly, this is one of the more credible signals that “faster LLMs” might not have to mean “worse LLMs,” which is the tradeoff the industry keeps running into.

For data and analytics folks, OpenDuck is an open-source project that’s trying to bring “DuckDB, but seamlessly remote” to a self-hostable world. The idea is that you can attach a remote database and treat those tables as first-class citizens alongside local data, with the system splitting work between local execution and remote DuckDB workers. Why it’s notable is the direction, not the branding: a lot of teams want the simplicity of local analytics with the reach of cloud storage and compute, but they don’t want to lock into a proprietary interface. OpenDuck is pitching a minimal, swappable protocol and an architecture that’s meant to make hybrid local-remote queries feel normal. If it matures, it could broaden the “portable analytics” story beyond a single vendor’s platform.

Now a cautionary tale about backups—because “set it and forget it” only works if the defaults are truly protective. A long-time Backblaze user says the service has been quietly excluding certain folders from backup, including .git directories and common cloud-sync folders like OneDrive and Dropbox. Backblaze’s rationale, as described in release notes, is performance and avoiding unintended uploads from sync caches or mount points, and that’s understandable. But the complaint is about trust and communication: if users believe “everything important is backed up,” silent exclusions can turn into a nasty surprise during a restore—exactly when you least want ambiguity. The larger takeaway is one worth repeating: sync is not backup, and backup software needs to be aggressively transparent when it decides something is out of scope.

A quick detour into computing history: a retro look at Franklin Computer Corporation’s early-1980s ad campaigns for its Apple II–compatible machines. The ads were memorable, sometimes flamboyant, and the products were competitive on price and features—but the story is inseparable from the cloning controversy. Franklin’s machines were described as extremely close to Apple II designs, and Apple ultimately prevailed in a legal fight that helped define how software and hardware IP would be treated in this era. It’s a snapshot of an industry that was still figuring out where innovation ended and copying began—and how marketing could sprint ahead of the legal system until it couldn’t.

Finally, a community calendar note: the Nim team announced NimConf 2026, an online event planned for June with talks premiered on YouTube and live Q&A in chat. The bigger reason it matters isn’t the date—it’s that it sets a deadline-driven rhythm for the ecosystem. For smaller language communities, conferences can act like a forcing function: polishing libraries, writing up real-world case studies, and sharing what actually worked in production. If you track Nim at all, this announcement effectively starts the “what will we have to show by June?” clock.