The BuddyBoss Attack: Full Incident Analysis

This report documents a fast, automated supply-chain attack in which a malicious GitHub Actions workflow committed to BuddyBoss repositories exfiltrated CI/CD secrets, enabling SSH and AWS access, root escalation, and the upload of backdoored plugin/theme packages to the Caseproof Mothership CDN; the injected backdoors auto-exfiltrated site credentials and provided interactive remote control, leading to callbacks from 246+ WordPress sites and theft of sensitive data such as Stripe keys.