BuddyBoss was compromised in an ongoing supply chain attack that deployed malicious updates to over 300 WordPress sites, stealing credentials and financial keys.