A supply-chain attack targeting the content delivery network (CDN) of software publisher Awesome Motive exposed users of several popular WordPress marketing plugins to malicious code, according to findings from e-commerce security firm Sansec.
The incident affected the WordPress plugins OptinMonster, TrustPulse, and PushEngage. Among them, OptinMonster is the most widely used, with more than 1.2 million websites relying on the lead-generation and conversion optimization platform.
Sansec discovered that malicious JavaScript was distributed through Awesome Motive’s CDN over the weekend. The malicious code was served to OptinMonster and TrustPulse users for a brief period on June 12, between 22:17 UTC and 22:42 UTC. PushEngage users were exposed for a longer period, with malicious content remaining active until 19:02 UTC on June 13.
The attack was designed to activate only when a WordPress administrator visited a page on an affected website. Once triggered, the malware collected authentication tokens and security nonces, allowing attackers to create unauthorized administrator accounts.
The attackers then installed a hidden backdoor plugin that established communication with a domain impersonating customer engagement platform Tidio. The malware provided attackers with persistent access, including a web shell named “WPM File Manager & Shell” and the ability to execute arbitrary PHP code, effectively giving them full control over compromised websites.
According to Sansec, the malicious plugin changed names to avoid detection while retaining identical functionality. Investigators observed versions disguised as “Content Delivery Helper” and “Database Optimizer.”
In a security advisory, Awesome Motive said the breach originated from a marketing website hosted on a separate server that was compromised through a known vulnerability in the UpdraftPlus WordPress plugin. Although the server was not connected to the company’s production infrastructure, it stored credentials for Awesome Motive’s CDN account.
After obtaining the CDN API key, the attackers modified JavaScript files distributed through the CDN, causing affected websites to load malicious code automatically.
The compromised files included:
- a.omappapi.com/app/js/api.min.js – OptinMonster
- a.opmnstr.com/app/js/api.min.js – OptinMonster
- a.optnmstr.com/app/js/api.min.js – OptinMonster
- a.trstplse.com/app/js/api.min.js – TrustPulse
Awesome Motive said it has remediated the affected marketing site, migrated it to a new server, and rotated all credentials, including the compromised CDN API key.
The company stated that its application servers, source code repositories, plugin hosting systems, and customer account databases were not affected. It also said there is no evidence that customer account information or personal data was accessed.
Website administrators who use the affected plugins are advised to immediately review their WordPress installations for unauthorized administrator accounts named “developer_api1” or “dev_xxxxxx,” inspect the wp-content/plugins directory for hidden backdoor plugins, perform comprehensive malware scans, and rotate all administrator passwords, API keys, database credentials, and WordPress security salts.
Although the malicious scripts have been removed from the CDN, compromised websites remain at risk until unauthorized accounts and backdoor plugins are fully removed.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Supply-Chain Attack Compromises OptinMonster, TrustPulse, and PushEngage WordPress Plugins
