A sophisticated supply-chain attack targeting WordPress plugin giant Awesome Motive has injected malicious JavaScript into CDN-served files used by over 1.2 million websites, security researchers at Sansec confirmed on June 13, 2026.
The campaign, still active as of June 13, silently creates backdoor administrator accounts and installs a self-hiding malware plugin on affected WordPress sites, giving attackers complete, unauthenticated remote control.
The breach affected three of Awesome Motive’s most widely deployed plugins: OptinMonster (1M+ active installs), TrustPulse, and PushEngage.
Attackers tampered with legitimate JavaScript SDK files served directly from Awesome Motive’s CDN endpoints hosted on BunnyNet, meaning every WordPress site loading these scripts pulled the poisoned file from the source, without any individual site being touched.
The compromised CDN endpoints include:
a.omappapi.com/app/js/api.min.js(HostBrand/OptinMonster)a.opmnstr.com/app/js/api.min.js(OptinMonster)a.optnmstr.com/app/js/api.min.js(OptinMonster)a.trstplse.com/app/js/api.min.js(TrustPulse)clientcdn.pushengage.com/sdks/pushengage-web-sdk.js(PushEngage)
This mirrors the 2024 Polyfill supply-chain attack that Sansec previously exposed tamper a single upstream file, and malware silently reaches millions of downstream sites at scale.
The injected JavaScript is engineered to evade detection and execute in precise conditions. It immediately exits if it detects navigator.webdriver, a headless browser, or a zero-sized window.
It only proceeds when it identifies a logged-in WordPress administrator, via wp-admin paths, the admin bar, or a wordpress_logged_in_ cookie. A 24-hour localStorage throttle (_pe_ts) prevents repeated execution.
Once activated, the payload:
- Fingerprints the WordPress installation, identifies the root path, admin URL, WordPress version, and harvests REST and AJAX nonces from
wpApiSettings.nonce,admin-ajax.php, anduser-new.php - Creates a rogue admin account using four sequential fallback methods: the
user-new.phpform,admin-ajax.php, the REST endpointwp/v2/users, and a hidden iframe form submission, recognizing “user already exists” responses in ~20 languages - Installs a self-hiding PHP backdoor plugin that disappears from the admin dashboard, plugin list, REST API, and update checks
- Exfiltrates credentials, the new admin username, password, site origin, logout URL, WordPress version, and timing data are XOR-encrypted (key:
jX9kM2nP4qR6sT8v), base64-encoded, and beaconed totidio.cc/cdn-cgi/*, a typosquat of the legitimatetidio.com
The exfiltration uses cascading delivery: sendBeacon, then fetch (no-cors), then XHR, then an Image().src beacon.
The installed plugin hides from every standard WordPress visibility surface. It exposes two dangerous entry points with no authentication required:
?developer_api1_fm— opens a web shell branded “WPM File Manager & Shell,” executingsystem($_POST['cmd'])and accepting file uploads- A POST to
developer_api1_eval— runseval(base64_decode(...))on any attacker-supplied input
The plugin rotates its disguise while keeping logic identical. Observed names include “Content Delivery Helper” (v2.7.1) and “Database Optimizer” (v2.9.4). Each download generates a fresh ZIP fetched from tidio.cc/cdn-cgi/l?t=gen, decoded through the same XOR key.
Patchstack independently confirmed active exploitation, blocking 271 rogue-admin creation attempts across 13 sites on June 14–15. Of these, 263 targeted the REST wp/v2/users endpoint, matching the payload’s fallback order.
The attempts originated from 81 unique IPs, with 267 using randomized dev_xxxxxx accounts and 4 using the fixed developer_api1 account.
Awesome Motive’s own incident disclosure reveals the root cause: attackers exploited a known vulnerability in the UpdraftPlus WordPress backup plugin to access the server hosting its marketing website, discovered a CDN API key stored on that server, and used it to tamper with SDK files.
After detection, the company reverted files, purged CDN cache, rotated the compromised key, and migrated the marketing site to new infrastructure.
If any admin was logged in during the injection window (June 12–14), assume compromise. Take these actions immediately:
- Search for rogue accounts
developer_api1(customer1usx@gmail.com) and anydev_xxxxxxaccounts — delete them - Scan the filesystem under
wp-content/plugins/directly forcontent-delivery-helperanddatabase-optimizer— do not rely on the admin dashboard, as the plugin actively hides itself - Rotate all admin passwords, secret keys, and salts in
wp-config.php - Assume unauthenticated code execution has occurred and treat the server as fully compromised
- Run server-side scanning tools like Sansec’s eComscan for comprehensive backdoor and malware detection
Other Awesome Motive products, including WPForms (6M+ installs), MonsterInsights (~2M), and All in One SEO (~3M), have not been confirmed compromised, but administrators of any Awesome Motive plugin should remain on high alert.
FAQ
Q1: Which WordPress plugins were affected by the Awesome Motive supply-chain attack?
OptinMonster, TrustPulse, and PushEngage CDN scripts were confirmed to carry malicious JavaScript; other Awesome Motive plugins have not yet been confirmed compromised.
Q2: How did attackers gain access to Awesome Motive’s CDN files?
They exploited a known UpdraftPlus plugin vulnerability on Awesome Motive’s marketing server to steal a BunnyNet CDN API key, which they used to tamper with SDK files.
Q3: How can I check if my WordPress site was backdoored in this attack?
Search your filesystem under wp-content/plugins/ for “content-delivery-helper” or “database-optimizer,” and check for rogue admin accounts named developer_api1 or matching dev_xxxxxx — the backdoor hides from the WordPress dashboard.
Q4: Is the Awesome Motive supply-chain attack still active?
Sansec confirmed the malicious CDN files were cleaned by June 14, 2026, but the C2 domain tidio.cc remained live and generating fresh payloads as of the latest reports.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
