"As a follow-up on the Andrew Wilder (NerdPress) and Chloe Chamberland (WordFence) reports that uncovered a limited number of compromised plugins, the Plugin Review team would like to provide more details about the case.
We identified that some plugin authors were reusing passwords exposed in data breaches elsewhere. The compromised accounts were not the result of an exploit on WordPress.org. Instead, the attackers used recycled passwords to add malicious code to a few plugins on the WordPress.org Plugin Directory.
First, out of an abundance of caution, additional plugin releases have been paused, and all new plugin commits temporarily need approval by the team. This way, we have the opportunity to confirm that the attackers cannot add malicious code to more plugins.
We have begun to force reset passwords for all plugin authors and some other users whose information was found by security researchers in data breaches. This will affect some users' ability to interact with WordPress.org or perform commits until their password is reset.
** Information about password deactivations **
Your password was deactivated if you are a plugin author or committer. If you have an existing open session on WordPress.org, you will be logged out and need to reset your password."
In other words, wordpress.org does not scan for malicious code.
"As a follow-up on the Andrew Wilder (NerdPress) and Chloe Chamberland (WordFence) reports that uncovered a limited number of compromised plugins, the Plugin Review team would like to provide more details about the case.
We identified that some plugin authors were reusing passwords exposed in data breaches elsewhere. The compromised accounts were not the result of an exploit on WordPress.org. Instead, the attackers used recycled passwords to add malicious code to a few plugins on the WordPress.org Plugin Directory.
First, out of an abundance of caution, additional plugin releases have been paused, and all new plugin commits temporarily need approval by the team. This way, we have the opportunity to confirm that the attackers cannot add malicious code to more plugins.
We have begun to force reset passwords for all plugin authors and some other users whose information was found by security researchers in data breaches. This will affect some users' ability to interact with WordPress.org or perform commits until their password is reset.
** Information about password deactivations **
Your password was deactivated if you are a plugin author or committer. If you have an existing open session on WordPress.org, you will be logged out and need to reset your password."
In other words, wordpress.org does not scan for malicious code.