Overview A major supply‑chain attack has struck the WordPress ecosystem, with trusted JavaScript files from PushEngage, OptinMonster, and TrustPulse — all owned by Awesome Motive — being tampered to install hidden backdoors on websites. The malicious code targeted logged‑in administrators, silently creating attacker‑controlled accounts and installing a concealed plugin that opened a persistent remote access channel.
Attack Summary
Security firm Sansec discovered the campaign on June 13, 2026, identifying identical malicious code served through each plugin’s content‑delivery network (CDN).
| Plugin | Exposure Window | Impact |
|---|---|---|
| PushEngage | Several hours (June 12 – June 14) | Longest window of active infection |
| OptinMonster | ~25 minutes (June 12 22:17 – 22:42 UTC) | Brief but high‑reach exposure |
| TrustPulse | ~25 minutes (June 12 22:17 – 22:42 UTC) | Similar short window of risk |
Together, these plugins reach over 1.2 million WordPress sites, making this one of the largest plugin‑level compromises in recent memory.
How the Attack Worked
The poisoned JavaScript files acted only when a logged‑in administrator loaded them. Ordinary visitors were unaffected.
Attack Chain:
- Tampered Script Loaded → Malicious code runs when admin is logged in.
- Admin Session Hijacked → Attacker creates a new admin account under their control.
- Hidden Plugin Installed → A concealed plugin opens a web shell for remote commands.
- Data Exfiltration → Credentials and site details sent to
tidio[.]cc, a fake domain mimicking tidio.com.
The malware used the admin’s session to act with full permissions, installing a plugin that does not appear in the WordPress dashboard. From there, attackers could read or modify files, copy databases, inject card‑skimming code, or redirect visitors.
Entry Point and Dispute
The breach origin remains under debate.
- PushEngage’s Account → Claims the attacker exploited a known flaw in the UpdraftPlus backup plugin, accessing a marketing server that held a CDN API key.
- Sansec’s Analysis → Suggests the breach may have occurred on Awesome Motive’s own servers or CDN account, not the provider itself.
The fake domain tidio[.]cc was registered weeks before the attack, indicating a planned operation rather than a quick exploit.
What to Check and Do
Any site running PushEngage, OptinMonster, or TrustPulse during the window should be treated as compromised.
Immediate Actions:
- Run Server‑Side Scans → Dashboard checks will miss payloads triggered only for admins.
- Inspect Filesystem → Look for folders named
content‑delivery‑helperordatabase‑optimizer. - Delete Unknown Admin Accounts → Especially
developer_api1ordev_xxxxxx. - Review Logs → Check for outbound connections to
tidio.ccor IP84.201.6.54. - Rotate Credentials → Reset admin passwords, API keys, database credentials, and WordPress salts.
If any indicator is found, assume the attacker has persistent access and rebuild the site from clean backups.
Indicators of Compromise (Selected)
| Type | Indicator | Description |
|---|---|---|
| Domain | tidio[.]cc | Fake domain used for data exfiltration |
| IP Address | 84.201.6.54 | Attacker server observed in Sansec logs |
| File Names | content‑delivery‑helper, database‑optimizer | Hidden plugin folders on infected sites |
| Admin Accounts | developer_api1, dev_xxxxxx | Unauthorized accounts created by malware |
(Indicators are defanged to prevent accidental resolution.)
Expert in the Cloud Insight
This incident is a textbook example of a supply‑chain attack through trusted plugins. When attackers tamper with CDN‑served scripts, they turn routine updates into infection vectors. The lesson for WordPress administrators is clear: trust must be verified continuously.
For defenders, the path forward is to combine server‑side integrity scans, plugin signature validation, and strict CDN key management. Even a brief window of tampering can cascade into mass compromise across millions of sites.
Leave a Reply