Supply Chain Attack Hits Popular WordPress Plugins Through Awesome Motive CDN
A supply chain attack compromised the Awesome Motive CDN, injecting malicious JavaScript into files served by popular WordPress plugins OptinMonster, TrustPulse, and PushEngage. The injected code targeted logged-in WordPress administrators to create backdoor accounts and install a stealthy backdoor plugin that hides from the admin UI and allows remote code execution. The attack affected sites loading the compromised CDN scripts, exposing potentially millions of WordPress installations. The malicious activity was active briefly in June 2026 before cleanup, but the backdoor presence requires manual detection and remediation.
AI Analysis
Technical Summary
Attackers compromised the Awesome Motive CDN, which serves JavaScript files for WordPress plugins OptinMonster, TrustPulse, and PushEngage. The malicious JavaScript was injected directly into the CDN-served files, affecting all sites loading these scripts without modifying victim servers. The payload activates only for logged-in WordPress administrators, harvesting authentication tokens and fingerprinting the WordPress version. It creates backdoor admin accounts using multiple fallback methods and installs a hidden backdoor plugin that evades detection by hiding from plugin lists and REST API endpoints. The backdoor plugin exposes unauthenticated web shells and PHP eval execution. Data exfiltration is done via multiple fallback network methods to a C2 domain impersonating a legitimate chat service. The attack was discovered by Sansec researchers in June 2026, with the malicious code active for a short window. No official vendor advisory or patch information is provided. Manual detection and removal of backdoor accounts and hidden plugins are necessary.
Potential Impact
The attack compromises the integrity and security of WordPress sites using the affected plugins by injecting backdoors that allow persistent unauthorized access and remote code execution. The malicious code bypasses normal detection by hiding from the WordPress admin interface and REST API. Stolen credentials and site information are exfiltrated to an attacker-controlled domain. The scale of impact is large due to the widespread use of the affected plugins, potentially affecting millions of sites. If an admin was logged in during the injection window, the site is likely compromised. The attack undermines trust in the plugin supply chain and CDN security.
Mitigation Recommendations
No official patch or fix has been confirmed from the vendor. Site administrators should immediately check for unauthorized admin accounts named developer_api1 or dev_xxxxxx and remove them. Inspect the wp-content/plugins directory directly for hidden plugins named content-delivery-helper or database-optimizer, as these will not appear in the admin dashboard. Rotate all admin passwords and secrets. Assume full compromise if indicators of compromise are found and perform thorough server-side scanning. Monitor network traffic for connections to tidio.cc or similar suspicious domains. Await official communication from Awesome Motive for further guidance.
Supply Chain Attack Hits Popular WordPress Plugins Through Awesome Motive CDN
Description
A supply chain attack compromised the Awesome Motive CDN, injecting malicious JavaScript into files served by popular WordPress plugins OptinMonster, TrustPulse, and PushEngage. The injected code targeted logged-in WordPress administrators to create backdoor accounts and install a stealthy backdoor plugin that hides from the admin UI and allows remote code execution. The attack affected sites loading the compromised CDN scripts, exposing potentially millions of WordPress installations. The malicious activity was active briefly in June 2026 before cleanup, but the backdoor presence requires manual detection and remediation.
Reddit Discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Attackers compromised the Awesome Motive CDN, which serves JavaScript files for WordPress plugins OptinMonster, TrustPulse, and PushEngage. The malicious JavaScript was injected directly into the CDN-served files, affecting all sites loading these scripts without modifying victim servers. The payload activates only for logged-in WordPress administrators, harvesting authentication tokens and fingerprinting the WordPress version. It creates backdoor admin accounts using multiple fallback methods and installs a hidden backdoor plugin that evades detection by hiding from plugin lists and REST API endpoints. The backdoor plugin exposes unauthenticated web shells and PHP eval execution. Data exfiltration is done via multiple fallback network methods to a C2 domain impersonating a legitimate chat service. The attack was discovered by Sansec researchers in June 2026, with the malicious code active for a short window. No official vendor advisory or patch information is provided. Manual detection and removal of backdoor accounts and hidden plugins are necessary.
Potential Impact
The attack compromises the integrity and security of WordPress sites using the affected plugins by injecting backdoors that allow persistent unauthorized access and remote code execution. The malicious code bypasses normal detection by hiding from the WordPress admin interface and REST API. Stolen credentials and site information are exfiltrated to an attacker-controlled domain. The scale of impact is large due to the widespread use of the affected plugins, potentially affecting millions of sites. If an admin was logged in during the injection window, the site is likely compromised. The attack undermines trust in the plugin supply chain and CDN security.
Mitigation Recommendations
No official patch or fix has been confirmed from the vendor. Site administrators should immediately check for unauthorized admin accounts named developer_api1 or dev_xxxxxx and remove them. Inspect the wp-content/plugins directory directly for hidden plugins named content-delivery-helper or database-optimizer, as these will not appear in the admin dashboard. Rotate all admin passwords and secrets. Assume full compromise if indicators of compromise are found and perform thorough server-side scanning. Monitor network traffic for connections to tidio.cc or similar suspicious domains. Await official communication from Awesome Motive for further guidance.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:supply chain attack","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["supply chain attack"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a2fe5bf0b89be6888e1744e
Added to database: 6/15/2026, 11:45:03 AM
Last enriched: 6/15/2026, 11:45:12 AM
Last updated: 6/15/2026, 6:11:20 PM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.