The author of a library has lost all control over the codebase, and a third party is now making changes to it. That's pretty much the textbook definition of stage one of a supply chain attack.

Considering what Matt has already done, it wouldn't even remotely come as a surprise if a future ACF update would, say, brick all WP installations using ACF on a WP Engine host.

> brick all WP installations using ACF on a WP Engine host

That tactic would work, if WP Engine had access to the update server hosted at wordpress.org.

It's like claiming going to the bank is stage one in a robbery. So if you go to the bank you're a thief.

WordPress have the rights, just like the responsibility and possible liability of everything distrubted on their platform.

It's more like gaining backdoor access to the bank's server.

At this stage no attack has happened(but can happen)

They didn't gain access anywhere, it's their platform.

If the bank starts fiddling with the numbers in your account: "I'm not being attacked, it's their database"

> bank starts fiddling with the numbers in your account

If a bank messes with your money, you ask for your money when that happens. Not defame the bank based that they updated their database, business as usual, but you liked the old one.

how exactly did they mess with your stuff? where's the attack you're speaking about? where's physical harm?

The database says you have zero money, in fact you are not even a customer and never were, good day sir.

The paid version of AFC is not affected, so I'm not sure what are you talking about?

What money? who did you pay? for what?

This is how users will unknowingly update from ACF to Secure Custom Fields:

https://x.com/Brugman/status/1845195750550143424

https://archive.is/u6ZbY

As user how were you affected? Are there any features you can no longer access?

Users will no longer have security updates from the actual makers, and the team that specializes and has built it is not able to touch the code (unless you use theirs)

Injecting code that creates misleading or malicious dashboard warnings is a supply chain attack, even if it’s the intent of the supplier and not a malicious third party interfering with the supply chain.

> misleading or malicious dashboard warnings

Who did that? WP Engine was the one making these before the change

One of Matt's complaints was that WPE disabled revisions...which JetPack (owned by Automattic) suggests to do in order to improve performance. https://jetpack.com/blog/wordpress-revisions/

I ran servers for an agency with ~1200 WordPress installs on Azure VMs, and I disabled revisions on every one of the sites. How is that different? Did I fiddle too much, despite it being in official documentation on how to do so? Even despite it being actually recommended by Automattic itself for performance improvements? Many of his complaints don't add up. The copyright and WP confusion, I get...but the rest is largely non-sense. Even his Stripe/Woocommerce complaint is largely bunk.

The best outcome is for Matt to step down, Wordpress.org/WP Foundation gets sold to multiple hosting providers (WordPress.com, WPE, 1&1, GoDaddy, etc) and they all commit x amount of money to the project (given it is a very important platform for all of them) and in exchange WPE drops its suit. Unfortunately, I doubt that will happen, because some of this seems very ego driven.

Matt did when he posted his vitriolic rant to every WordPress install.