OptinMonster supply chain attack hits 1.2 million sites
A supply-chain attack compromised the WordPress plugins OptinMonster, TrustPulse, and PushEngage operated by Awesome Motive, affecting over 1.2 million sites. Attackers injected malicious JavaScript into legitimate plugin files served via Awesome Motive's CDN. The malware activates when a logged-in administrator accesses the site, creating stealthy backdoor admin accounts and installing a self-hiding PHP plugin. This backdoor enables unauthenticated code execution through a web shell and eval endpoint. Stolen credentials are exfiltrated to a lookalike domain tidio.cc. The breach likely originated from compromised Awesome Motive servers or their BunnyNet CDN account. The campaign was active from late April to mid-June 2026.
AI Analysis
Technical Summary
This active supply-chain attack targeted over 1.2 million WordPress sites using OptinMonster, TrustPulse, and PushEngage plugins by injecting malicious JavaScript into files served through Awesome Motive's CDN endpoints. The malware activates upon administrator login, creating backdoor admin accounts (including developer_api1 and randomized dev_xxxxxx accounts) and installing a self-hiding PHP plugin. This backdoor provides unauthenticated remote code execution via a web shell and eval endpoint. Credentials stolen from compromised sites are sent to tidio.cc, a domain mimicking the legitimate tidio.com. The initial compromise likely stemmed from Awesome Motive's servers or their BunnyNet CDN account. The attack campaign lasted from late April through mid-June 2026, impacting over one million OptinMonster installations and users of TrustPulse and PushEngage plugins.
Potential Impact
The attack compromises site integrity by injecting malicious code into widely used WordPress plugins, enabling attackers to create hidden administrative accounts and execute arbitrary code without authentication. This allows persistent unauthorized access and control over affected sites. Additionally, stolen credentials are exfiltrated to a malicious domain, increasing the risk of further compromise. The scale of the attack, affecting over 1.2 million sites, amplifies its potential impact on the WordPress ecosystem and site administrators.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Site administrators should verify the integrity of their plugin files, remove any unauthorized admin accounts (such as developer_api1 and dev_xxxxxx accounts), and scan for self-hiding PHP plugins. It is critical to change all credentials potentially exposed and monitor for suspicious activity. Since the breach likely originated from compromised Awesome Motive servers or their CDN account, users should follow official communications from Awesome Motive for updates and patches. Until official fixes are confirmed, consider disabling affected plugins or restoring sites from clean backups.
Indicators of Compromise
- url: http://a.opmnstr.com/app/js/api.min.js
- url: http://a.trstplse.com/app/js/api.min.js
- url: http://tidio.cc/cdn-cgi/
- url: http://tidio.cc/cdn-cgi/*
- url: http://tidio.cc/cdn-cgi/b
- url: http://tidio.cc/cdn-cgi/l
- url: http://tidio.cc/cdn-cgi/p
- url: http://tidio.cc/cdn-cgi/pe-b
- url: http://tidio.cc/cdn-cgi/pe-l
- url: http://tidio.cc/cdn-cgi/pe-p
OptinMonster supply chain attack hits 1.2 million sites
Description
A supply-chain attack compromised the WordPress plugins OptinMonster, TrustPulse, and PushEngage operated by Awesome Motive, affecting over 1.2 million sites. Attackers injected malicious JavaScript into legitimate plugin files served via Awesome Motive's CDN. The malware activates when a logged-in administrator accesses the site, creating stealthy backdoor admin accounts and installing a self-hiding PHP plugin. This backdoor enables unauthenticated code execution through a web shell and eval endpoint. Stolen credentials are exfiltrated to a lookalike domain tidio.cc. The breach likely originated from compromised Awesome Motive servers or their BunnyNet CDN account. The campaign was active from late April to mid-June 2026.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This active supply-chain attack targeted over 1.2 million WordPress sites using OptinMonster, TrustPulse, and PushEngage plugins by injecting malicious JavaScript into files served through Awesome Motive's CDN endpoints. The malware activates upon administrator login, creating backdoor admin accounts (including developer_api1 and randomized dev_xxxxxx accounts) and installing a self-hiding PHP plugin. This backdoor provides unauthenticated remote code execution via a web shell and eval endpoint. Credentials stolen from compromised sites are sent to tidio.cc, a domain mimicking the legitimate tidio.com. The initial compromise likely stemmed from Awesome Motive's servers or their BunnyNet CDN account. The attack campaign lasted from late April through mid-June 2026, impacting over one million OptinMonster installations and users of TrustPulse and PushEngage plugins.
Potential Impact
The attack compromises site integrity by injecting malicious code into widely used WordPress plugins, enabling attackers to create hidden administrative accounts and execute arbitrary code without authentication. This allows persistent unauthorized access and control over affected sites. Additionally, stolen credentials are exfiltrated to a malicious domain, increasing the risk of further compromise. The scale of the attack, affecting over 1.2 million sites, amplifies its potential impact on the WordPress ecosystem and site administrators.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Site administrators should verify the integrity of their plugin files, remove any unauthorized admin accounts (such as developer_api1 and dev_xxxxxx accounts), and scan for self-hiding PHP plugins. It is critical to change all credentials potentially exposed and monitor for suspicious activity. Since the breach likely originated from compromised Awesome Motive servers or their CDN account, users should follow official communications from Awesome Motive for updates and patches. Until official fixes are confirmed, consider disabling affected plugins or restoring sites from clean backups.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://sansec.io/research/optinmonster-supply-chain-attack"]
- Adversary
- null
- Pulse Id
- 6a2ec0e674b2d14b332499fa
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://a.opmnstr.com/app/js/api.min.js | — | |
urlhttp://a.trstplse.com/app/js/api.min.js | — | |
urlhttp://tidio.cc/cdn-cgi/ | — | |
urlhttp://tidio.cc/cdn-cgi/* | — | |
urlhttp://tidio.cc/cdn-cgi/b | — | |
urlhttp://tidio.cc/cdn-cgi/l | — | |
urlhttp://tidio.cc/cdn-cgi/p | — | |
urlhttp://tidio.cc/cdn-cgi/pe-b | — | |
urlhttp://tidio.cc/cdn-cgi/pe-l | — | |
urlhttp://tidio.cc/cdn-cgi/pe-p | — |
Threat ID: 6a3033290b89be68885bf1e9
Added to database: 6/15/2026, 5:15:21 PM
Last enriched: 6/15/2026, 5:30:17 PM
Last updated: 6/15/2026, 6:19:42 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.