Conversation
supportI am seeing some not so good responses being spammed to the MCC system on my server, it is injecting a script every 5 minutes for the below https://log.tremex.ro/mcc_p2.js and this is coming from the official API ip address. I also see the WP plugin was updated 5 hours ago, which is around the time all of this started judging by the logs. API is compromised, devs account may also be compromised. Be careful out there.
100% an attack https://mempool.space/address/bc1qknfmzeh4shrm5eaug2rh7ele6eaeyrllel548l Same thing happening for us Started with the licenses dropping and then when you refresh its fine It changes the btc address to the one above. The hacker has stolen alot from alot of people Our website is hardended extremely hard yet they still managed to compromise it I think its time we are dropping MCC. We also suggest checking your db for rouge admin accounts.
Not to impressed with that response from the dev. Saying all good while the activity is still going on. Surely they can see the server has still been breached and sending out hundreds of these messages to MCC installs. Definitely needs to be more communication and I hope he stops by here to post. His silence overall on this has been ridiculous.
see https://wordpress.org/support/topic/mycryptocheckout-may-1-2026-incident-update-to-v2-163/
On 1 May 2026 at 10:37am (UTC+8), I emailed dev about whether someone had compromised my account. At 2:38pm the same day, dev replied and advised me to check if the caching plugin was locking and preventing the MCC server from communicating with my website. It seems they took a longer time to investigate the issue. https://prnt.sc/OKLWjWFIZ7V6 https://prnt.sc/4ffjHMTqtGgc This reply was modified 1 month, 1 week ago by sanji17 .
Its 100% attack and MCC confirmed this in their post. The backdoor was on their server and infecting WordPress installation from customers. When you read the script it was executing it was changing BTC LTC and ETH addresses. This is the litecoin address it was using: https://blockchair.com/litecoin/address/ltc1quhxkfflj338hdadlkued0s7748y8p0jp4tu4ky I really love this plugin but after second incident in 4-5 months I decided to use other way to get crypto payments. The backdoor tried to do this: Send your domain/data to log.tremex.ro Create a WordPress application password for admin access Create a new admin user: username: wpsecurity email: wpsecurity@iau.pm Modify mycryptocheckout/src/cli/Tests.php Replace it with a PHP backdoor that can write files using URL parameters Disable MyCryptoCheckout security protections, including file-editor and XML-RPC blocking Store flags in localStorage so it only runs once
Hi @wesleyvdbrink , Your breakdown of the payload itself, including the attacker’s C2 domain, the rogue admin creation, and the file modification attempts is accurate. We detailed these exact indicators in our official postmortem. However, it is important to note that these specific administrative actions only occurred on a subset of affected sites, as they strictly required a logged-in administrator to view an affected wp-admin page while the payload was active. I do want to clarify one critical technical distinction for anyone reading this thread: there was no “backdoor” on our servers. > A backdoor implies persistent hidden access. What actually happened was that attackers utilized “Copy Fail” (CVE-2026-31431), a vulnerability in the Linux kernel itself in order to get root access to the machines. The weaponized exploit for this vulnerability was made public at the very end of April. Our API server was hit in the early morning on May 1st, shortly after the script dropping on the internet, before many Linux distributions even had stable patches available. Microsoft and major security firms have documented how this exact vulnerability compromised millions of cloud Linux workloads globally the same week. We have patched the kernel, rotated all keys, and released v2.163, so the plugin won’t execute an unescaped payload that way again.
100% an attack https://mempool.space/address/bc1qknfmzeh4shrm5eaug2rh7ele6eaeyrllel548l Same thing happening for us Started with the licenses dropping and then when you refresh its fine It changes the btc address to the one above. The hacker has stolen alot from alot of people Our website is hardended extremely hard yet they still managed to compromise it I think its time we are dropping MCC. We also suggest checking your db for rouge admin accounts.
Not to impressed with that response from the dev. Saying all good while the activity is still going on. Surely they can see the server has still been breached and sending out hundreds of these messages to MCC installs. Definitely needs to be more communication and I hope he stops by here to post. His silence overall on this has been ridiculous.
see https://wordpress.org/support/topic/mycryptocheckout-may-1-2026-incident-update-to-v2-163/
On 1 May 2026 at 10:37am (UTC+8), I emailed dev about whether someone had compromised my account. At 2:38pm the same day, dev replied and advised me to check if the caching plugin was locking and preventing the MCC server from communicating with my website. It seems they took a longer time to investigate the issue. https://prnt.sc/OKLWjWFIZ7V6 https://prnt.sc/4ffjHMTqtGgc This reply was modified 1 month, 1 week ago by sanji17 .
Its 100% attack and MCC confirmed this in their post. The backdoor was on their server and infecting WordPress installation from customers. When you read the script it was executing it was changing BTC LTC and ETH addresses. This is the litecoin address it was using: https://blockchair.com/litecoin/address/ltc1quhxkfflj338hdadlkued0s7748y8p0jp4tu4ky I really love this plugin but after second incident in 4-5 months I decided to use other way to get crypto payments. The backdoor tried to do this: Send your domain/data to log.tremex.ro Create a WordPress application password for admin access Create a new admin user: username: wpsecurity email: wpsecurity@iau.pm Modify mycryptocheckout/src/cli/Tests.php Replace it with a PHP backdoor that can write files using URL parameters Disable MyCryptoCheckout security protections, including file-editor and XML-RPC blocking Store flags in localStorage so it only runs once
Hi @wesleyvdbrink , Your breakdown of the payload itself, including the attacker’s C2 domain, the rogue admin creation, and the file modification attempts is accurate. We detailed these exact indicators in our official postmortem. However, it is important to note that these specific administrative actions only occurred on a subset of affected sites, as they strictly required a logged-in administrator to view an affected wp-admin page while the payload was active. I do want to clarify one critical technical distinction for anyone reading this thread: there was no “backdoor” on our servers. > A backdoor implies persistent hidden access. What actually happened was that attackers utilized “Copy Fail” (CVE-2026-31431), a vulnerability in the Linux kernel itself in order to get root access to the machines. The weaponized exploit for this vulnerability was made public at the very end of April. Our API server was hit in the early morning on May 1st, shortly after the script dropping on the internet, before many Linux distributions even had stable patches available. Microsoft and major security firms have documented how this exact vulnerability compromised millions of cloud Linux workloads globally the same week. We have patched the kernel, rotated all keys, and released v2.163, so the plugin won’t execute an unescaped payload that way again.