It began with an email:
We would like to purchase this plugin from you and take complete owner ship [sic] of it and take away the stress from you.
We are trying to build one of the largest wordpress plugin companies and in doing this we are trying to purchase some rather large plugins like yours.
I am wondering if me and my team would be able to purchase this plugin from you and then take over the complete development of it and push out a new update to make it work better with the latest wordpress.
The author of that plugin thought about it; in the end, she said Yes, and the buyer sent $15,000 via PayPal.
On June 21st, the first release of Display Widgets under the new author went out. Then on June 30th there was a second release, version 2.6.1, which included malicious code … which allowed the new plugin author — Mason Soiza, in this case — to publish spam content on any site running Display Widgets. There were approximately 200,000 sites using Display Widgets at the time.
Mr Soiza apparently did acquire other plugins for nefarious purposes. Some of those purposes:
Our team has assembled a lot of data on Mason Soiza from public sources. He has interests in a wide range of online business that include payday loans, gambling and “escort” services, among others.
He has been active on black hat forums and has been banned from “Black Hat World” (username LinkRocket) and from WickedFire.com (username MasonSoiza). Soiza is active on Reddit as IIRR and moderates a subreddit called /r/paydayloansnowcouk.
Oh, and the current version of Display Widgets (2.7.0) has been thoroughly disinfected.
(Via Dan Gillmor.)