OptinMonster Supply Chain Attack Hits 1.2M Sites

by ddos · June 17, 2026

OptinMonster supply chain attack CDN compromise diagram showing backdoor plugin installation on WordPress admin accounts

Popular WordPress plugins have found themselves at the center of a supply chain attack, where the products themselves were not compromised directly. Instead, attackers targeted the infrastructure responsible for distributing them. Three plugins from Awesome Motive came under fire: OptinMonster, TrustPulse, and PushEngage. OptinMonster alone runs on at least 1.2 million sites and is widely used for lead generation and conversion optimization. The attack was uncovered by Sansec, a security firm specializing in e-commerce.

How Attackers Got In

The attackers gained access to an auxiliary marketing server belonging to Awesome Motive by exploiting a known vulnerability in the UpdraftPlus plugin. Although this server had no connection to the company’s core production infrastructure, it stored credentials for an account on a content delivery network, or CDN. Armed with this API key, the attackers replaced the JavaScript files that the CDN was serving to plugin users.

From Compromised Script to Admin Backdoor

The malicious script activated whenever a WordPress administrator visited an infected page. The injected code intercepted authentication tokens and created a fraudulent administrator account. From there, a hidden backdoor plugin was installed, equipped with a web shell and remote code execution capability. Stolen data was exfiltrated through a domain designed to mimic the legitimate Tidio service. To complicate detection efforts, the backdoor plugin periodically changed its display name, at times disguising itself as Content Delivery Helper or Database Optimizer.

Timeline of the Compromise

The malicious scripts began spreading on June 12. OptinMonster and TrustPulse were affected within a matter of hours, while PushEngage remained compromised until June 14. Awesome Motive has since restored its server, migrated it to a new platform, and rotated all credentials, including the CDN API key. According to the company, its source code, application servers, and customer data remained unaffected throughout the incident. You can read Sansec’s full research report on the attack for additional technical detail.

What Site Owners Should Check

Anyone running these plugins between June 12 and June 13 should review their administrator dashboard for unfamiliar accounts named developer_api1 or anything beginning with dev_. It’s also worth scanning the wp-content/plugins directory for hidden, unauthorized plugins. Beyond that, site owners should run a full malware scan on their server and rotate administrator passwords, API keys, database credentials, and WordPress security keys.

The Threat Isn’t Fully Over

Even though the malicious scripts have since been removed from the CDN, any site where the backdoor plugin or fraudulent admin account remains in place is still effectively under the attacker’s control.