A supply-chain attack targeting the WordPress plugins OptinMonster, TrustPulse, and PushEngage exposed more than 1.2 million websites to potential compromise after attackers injected malicious JavaScript into files distributed through official CDN infrastructure.
The malware created hidden administrator accounts and installed stealthy backdoors on affected sites when visited by logged-in WordPress administrators.
The campaign was discovered by security firm Sansec, which reported on June 13 that malicious code was being served through CDN-hosted JavaScript files used by OptinMonster, TrustPulse, and PushEngage. The attack leveraged trusted plugin resources rather than directly compromising individual websites, allowing the malicious code to reach a large number of WordPress installations.
OptinMonster and TrustPulse owner Awesome Motive has since confirmed the incident, attributing it to the compromise of a CDN API key. According to the company's investigation, attackers exploited a known vulnerability in a third-party plugin called UpdraftPlus running on a marketing website server, gained access to the server, and located credentials for the company's CDN account. Using those credentials, they modified JavaScript files served to customer websites without breaching OptinMonster's application infrastructure.
Awesome Motive said its application servers, source code repositories, and systems storing customer account data were hosted separately and show no evidence of unauthorized access. The company described the exposure window as lasting only a few hours on June 12, although it is continuing to verify the exact timeline using CDN logs.
Sansec's analysis found that the injected JavaScript only executed when a logged-in WordPress administrator visited an affected website. Once activated, the malware gathered WordPress security tokens, attempted to create administrator accounts, and installed a hidden plugin that provided attackers with persistent remote access.
Researchers observed the malware creating a fixed administrator account named developer_api1 linked to customer1usx@gmail.com, alongside randomized dev_xxxxxx administrator accounts. Site information and stolen credentials were then transmitted to the attacker-controlled domain tidio.cc, a lookalike of the legitimate customer support platform Tidio.
The installed backdoor plugin was designed to evade detection by hiding from WordPress plugin listings, user interfaces, update checks, and API responses. Sansec identified two disguises used during the campaign: Content Delivery Helper and Database Optimizer. The plugin also exposed unauthenticated web shell and code execution functionality, effectively granting attackers full control of compromised sites.
The first malicious activity was observed on June 12, with infected code removed from OptinMonster and TrustPulse resources shortly afterward. Sansec reported that some PushEngage CDN nodes continued serving the malicious payload until June 14.
Awesome Motive says it has revoked and rotated the compromised CDN credentials, remediated and migrated the affected marketing server, purged malicious files from the CDN, and launched a broader security review.
Website administrators running the affected plugins should check for unauthorized accounts such as developer_api1 or unexpected dev_xxxxxx users and inspect the wp-content/plugins directory for hidden plugins named content-delivery-helper or database-optimizer. If any indicators of compromise are found, administrators should remove the backdoor, rotate all passwords, API keys, database credentials, and WordPress security keys, and assume attackers obtained full administrative access to the site.
Leave a Reply