bleepingcomputer.com web signal

OptinMonster CDN Hack Backdoors 1.2M WordPress Sites

cybersecurity ai infrastructure supply-chain-attack wordpress cdn-compromise

Key insights

  • Attackers stole Awesome Motive's CDN API key by exploiting a known UpdraftPlus flaw on an internal marketing server hosting CDN credentials.
  • Malicious JavaScript silently created rogue WordPress admin accounts and installed self-hiding backdoor plugins with full web shell and PHP execution access.
  • E-commerce security firm Sansec detected the breach over the weekend; malicious scripts ran from June 12 through June 13, 2026.

Why this matters

A single compromised CDN API key, obtained through a third-party plugin vulnerability on an internal marketing server, simultaneously weaponized JavaScript delivered to over 1.2 million WordPress sites through OptinMonster alone. CDN-based supply-chain attacks are particularly hard to detect because the malicious payload arrives from a legitimate, trusted domain with no changes to the plugin's installable package code. Any WordPress plugin vendor that stores CDN credentials on infrastructure also running unvetted third-party plugins is exposed to the same attack vector and should treat that credential isolation as an urgent remediation priority.

Summary

A supply-chain attack on Awesome Motive's CDN hit OptinMonster (1.2M+ WordPress sites), TrustPulse, and PushEngage. Attackers exploited a known UpdraftPlus flaw on an internal Awesome Motive marketing server to steal CDN API credentials, then injected malicious JavaScript that harvested admin authentication tokens and nonces, silently created rogue administrator accounts, and installed self-hiding backdoor plugins named 'Content Delivery Helper' or 'Database Optimizer' that communicated with a domain impersonating Tidio. Essentially: (Awesome Motive, Sansec) CDN credentials stolen through a third-party plugin on an internal server; Sansec detected the attack over the weekend. - OptinMonster and TrustPulse served malicious scripts 22:17-22:42 UTC June 12; PushEngage continued until 19:02 UTC June 13. - Backdoor accounts appear with usernames like 'developer_api1' or 'dev_xxxxxx'. - Awesome Motive confirmed application servers and account data were hosted separately and were not breached. The entry point was a third-party plugin running on an internal marketing server, not a flaw in Awesome Motive's own product code.

Potential risks and opportunities

Risks

  • Sites with WordPress administrators logged in during June 12-13 may still host undetected 'Content Delivery Helper' or 'Database Optimizer' backdoor plugins if site owners have not yet audited wp-content/plugins.
  • PushEngage sites faced a longer exposure window than OptinMonster and TrustPulse, with malicious code served until 19:02 UTC on June 13, leaving PushEngage site owners with a broader and later remediation gap.
  • Additional Awesome Motive CDN-hosted JavaScript assets not yet named in incident reporting could have been modified using the same stolen CDN API key during the June 12-13 attack window.

Opportunities

  • WordPress security vendors (Wordfence, Patchstack, Sansec) can market targeted scanning tools to detect 'developer_api1' and 'dev_xxxxxx' rogue accounts and the named backdoor plugins across the exposed site population.
  • CDN providers offering JavaScript file integrity verification and API key scoping (Cloudflare, Fastly) gain a concrete sales narrative for plugin vendors following a high-profile CDN credential theft at this scale.
  • Managed WordPress hosts and security consultants can offer post-incident forensic audits focused on credential rotation (API keys, database credentials, WordPress security salts) as a direct service to OptinMonster, TrustPulse, and PushEngage site owners.

What we don't know yet

  • Scope of actual compromise: the number of sites where rogue administrator accounts were successfully created before scripts were pulled is not disclosed in incident reporting.
  • UpdraftPlus CVE used: the specific vulnerability exploited on Awesome Motive's marketing server is not named, and whether a patch was available before the incident remains unclear.
  • Tidio-impersonating C2 domain: whether the domain used for backdoor command-and-control has been taken down or sinkholed is not addressed in reporting.

Originally reported by bleepingcomputer.com

Read the original article →

Original headline: CDN Supply-Chain Attack Compromises Awesome Motive Plugins — Malicious JS in OptinMonster, TrustPulse, and PushEngage Creates Rogue Admin Accounts on 1.2 Million WordPress Sites