Cosmic Rundown: WordPress Backdoors, Stacked PRs, and MDN Drops React

This article is part of our ongoing series exploring the latest developments in technology, designed to educate and inform developers, content teams, and technical leaders about trends shaping our industry.

Monday opens with a supply chain attack that should make every WordPress site owner nervous, a long-awaited GitHub feature finally shipping, and Mozilla making a statement about the future of frontend architecture.

30 WordPress Plugins, One Backdoor

Someone acquired 30 WordPress plugins and planted backdoors in all of them. The attack vector is straightforward: buy abandoned or neglected plugins with existing install bases, push a malicious update, and wait for automatic updates to do the rest.

This isn't a new tactic, but the scale is notable. The Hacker News discussion raises the obvious question: how do you vet plugin ownership changes? WordPress.org doesn't currently notify users when a plugin changes hands. The community is calling for better transparency around plugin acquisitions and more aggressive code review for post-acquisition updates.

For teams still running WordPress, this is a reminder that plugin sprawl creates attack surface. Every plugin is a dependency you're trusting with your site's security.

GitHub Ships Stacked PRs

After years of community requests and third-party workarounds, GitHub officially launched Stacked PRs. The feature lets you chain dependent pull requests together, making it easier to break large changes into reviewable chunks without blocking on merge order.

The discussion is extensive. Developers who've used Graphite, ghstack, or similar tools are comparing notes on how GitHub's implementation stacks up. Early reports suggest it handles the basics well: automatic rebasing, visual dependency graphs, and cleaner review workflows.

For teams practicing trunk-based development or working on large features, this removes a significant friction point. No more manually rebasing stacked branches or explaining to reviewers why PR #3 depends on PR #2 which depends on PR #1.

MDN Drops React for Web Components

Mozilla published a deep dive on rebuilding MDN's frontend without React. The new architecture uses web components and vanilla JavaScript.

The reasoning is practical rather than ideological. MDN is largely static content with pockets of interactivity. React's runtime overhead didn't justify itself for the actual user experience. Web components provide encapsulation where needed without shipping a framework.

This isn't an argument that React is bad. It's an argument that tool selection should match the problem. Documentation sites, marketing pages, and content-heavy applications often don't need the full capabilities of a component framework.

DaVinci Resolve Adds Photo Editing

Blackmagic announced photo editing capabilities in DaVinci Resolve. The video editing suite now handles RAW photo processing with the same color science tools video editors already trust.

The discussion centers on whether this threatens Lightroom's position. Resolve is already free for most users. Adding photo editing to an already-capable video toolchain creates an interesting value proposition for creators who work across both mediums.

Google Tackles Back Button Hijacking

Google Search is rolling out a new spam policy targeting back button hijacking. Sites that trap users by manipulating browser history will face ranking penalties.

This dark pattern has plagued the web for years. You click a search result, try to go back, and find yourself stuck in an infinite loop of the same page. Google's enforcement mechanism remains unclear, but the policy change signals that this behavior will have SEO consequences.

Quick Hits

Jujutsu gains momentum. Steve Klabnik's jj tutorial hit the front page. The Git-compatible version control system continues attracting developers frustrated with Git's complexity.

Renewables pass natural gas. For the first time, US renewables generated more power than natural gas. The crossover happened in March 2026.

Backblaze drops cloud folder backups. Backblaze quietly stopped backing up OneDrive and Dropbox folders. Users discovered their cloud-synced files weren't being backed up as expected.

Introspective diffusion models. A new paper on introspective diffusion language models proposes an alternative to autoregressive generation. The approach lets models "think" before committing to output tokens.

Formal verification has limits. A developer found a bug in code that Lean proved correct. The issue wasn't with Lean itself but with the specification. You can prove code matches a spec, but proving the spec matches intent is a different problem.

What This Means for Content Teams

The WordPress backdoor story underscores why decoupled architectures matter. When your content lives in a headless CMS with a clean API, your frontend choices don't introduce CMS-level vulnerabilities. Your content infrastructure stays stable even as you swap out rendering layers.

MDN's move away from React reinforces the same principle. The best architecture is the simplest one that solves your actual problem. A headless CMS that delivers content over API lets you make that choice per-project, without rebuilding your content layer.

Building something? Start free with Cosmic and keep your content infrastructure clean.