A malicious actor found a struggling WordPress plugin company, bought it, and introduced malware to each product.