OptinMonster WordPress plugin hacked in CDN supply-chain attack
A supply-chain attack compromised the WordPress plugins OptinMonster, TrustPulse, and PushEngage by injecting malicious JavaScript via Awesome Motive's CDN. Attackers exploited a known vulnerability in the UpdraftPlus plugin to access a marketing server, steal CDN API credentials, and modify JavaScript files served to users. The malware targeted WordPress administrators, stealing authentication tokens to create rogue admin accounts and install stealth backdoor plugins enabling full remote control. Awesome Motive has remediated the issue by securing the marketing server and rotating credentials but warns that compromised sites remain at risk if rogue accounts and backdoors persist. Site owners are advised to remove rogue accounts, scan for backdoors, and rotate sensitive credentials.
AI Analysis
Technical Summary
Attackers exploited a known flaw in the UpdraftPlus WordPress plugin to gain access to a marketing server hosting credentials for Awesome Motive's CDN. Using stolen CDN API keys, they injected malicious JavaScript into files distributed via the CDN for the OptinMonster, TrustPulse, and PushEngage plugins. The malicious scripts executed when WordPress administrators visited infected sites, harvesting authentication tokens and nonces to create rogue administrator accounts and install self-hiding backdoor plugins. These backdoors provide full remote access, including a web shell and arbitrary PHP code execution. Awesome Motive confirmed that their application servers and source code were not compromised and have remediated the marketing server and rotated all credentials. The attack window was brief, with malicious scripts served on June 12, 2026. However, compromised sites remain vulnerable if rogue accounts and backdoors are not removed.
Potential Impact
The attack allows adversaries to gain full administrative control over affected WordPress sites by creating rogue admin accounts and installing stealth backdoors. This enables remote code execution and persistent access, potentially leading to site defacement, data theft, or further compromise. Although the CDN and marketing server were compromised, Awesome Motive's core application servers and user data were not breached. The impact is limited to sites using the affected plugins during the attack window and not remediated by site owners.
Mitigation Recommendations
Awesome Motive has remediated the marketing server, migrated it to a new server, and rotated all credentials including the CDN API key. Site owners should check for and remove rogue administrator accounts named 'developer_api1' or 'dev_xxxxxx', inspect the wp-content/plugins directory for hidden backdoor plugins, perform server-side malware scans, and rotate administrator passwords, API keys, database credentials, and WordPress security salts. Removing the malicious scripts from the CDN has been completed, but compromised sites remain at risk until rogue accounts and backdoors are fully removed.
OptinMonster WordPress plugin hacked in CDN supply-chain attack
Description
A supply-chain attack compromised the WordPress plugins OptinMonster, TrustPulse, and PushEngage by injecting malicious JavaScript via Awesome Motive's CDN. Attackers exploited a known vulnerability in the UpdraftPlus plugin to access a marketing server, steal CDN API credentials, and modify JavaScript files served to users. The malware targeted WordPress administrators, stealing authentication tokens to create rogue admin accounts and install stealth backdoor plugins enabling full remote control. Awesome Motive has remediated the issue by securing the marketing server and rotating credentials but warns that compromised sites remain at risk if rogue accounts and backdoors persist. Site owners are advised to remove rogue accounts, scan for backdoors, and rotate sensitive credentials.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Attackers exploited a known flaw in the UpdraftPlus WordPress plugin to gain access to a marketing server hosting credentials for Awesome Motive's CDN. Using stolen CDN API keys, they injected malicious JavaScript into files distributed via the CDN for the OptinMonster, TrustPulse, and PushEngage plugins. The malicious scripts executed when WordPress administrators visited infected sites, harvesting authentication tokens and nonces to create rogue administrator accounts and install self-hiding backdoor plugins. These backdoors provide full remote access, including a web shell and arbitrary PHP code execution. Awesome Motive confirmed that their application servers and source code were not compromised and have remediated the marketing server and rotated all credentials. The attack window was brief, with malicious scripts served on June 12, 2026. However, compromised sites remain vulnerable if rogue accounts and backdoors are not removed.
Potential Impact
The attack allows adversaries to gain full administrative control over affected WordPress sites by creating rogue admin accounts and installing stealth backdoors. This enables remote code execution and persistent access, potentially leading to site defacement, data theft, or further compromise. Although the CDN and marketing server were compromised, Awesome Motive's core application servers and user data were not breached. The impact is limited to sites using the affected plugins during the attack window and not remediated by site owners.
Mitigation Recommendations
Awesome Motive has remediated the marketing server, migrated it to a new server, and rotated all credentials including the CDN API key. Site owners should check for and remove rogue administrator accounts named 'developer_api1' or 'dev_xxxxxx', inspect the wp-content/plugins directory for hidden backdoor plugins, perform server-side malware scans, and rotate administrator passwords, API keys, database credentials, and WordPress security salts. Removing the malicious scripts from the CDN has been completed, but compromised sites remain at risk until rogue accounts and backdoors are fully removed.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/optinmonster-wordpress-plugin-hacked-in-cdn-supply-chain-attack/","fetched":true,"fetchedAt":"2026-06-15T17:45:13.948Z","wordCount":812}
Threat ID: 6a303a290b89be6888650505
Added to database: 6/15/2026, 5:45:13 PM
Last enriched: 6/15/2026, 5:45:22 PM
Last updated: 6/15/2026, 7:03:15 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.