OptinMonster, TrustPulse and PushEngage WordPress plugins backdoored in Awesome Motive CDN supply-chain attack

On 13 June 2026, security firm Sansec disclosed a supply-chain attack against Awesome Motive, the company behind a portfolio of widely used WordPress marketing plugins. Attackers had tampered with JavaScript files distributed through Awesome Motive's content delivery network (CDN), poisoning the scripts loaded by the OptinMonster, TrustPulse and PushEngage plugins — OptinMonster alone is installed on at least 1.2 million websites.

What happened

The intruders first exploited a known vulnerability in a third-party plugin, UpdraftPlus, running on one of Awesome Motive's marketing website servers. From there they accessed the server, located credentials for the company's CDN account, and used the stolen CDN API key to modify JavaScript files served to plugin users. Because the scripts were loaded directly from the legitimate CDN, affected WordPress sites silently pulled the malicious code without any local file change.

The injected JavaScript was designed to execute inside the browser of any logged-in WordPress administrator who loaded an affected page. Riding that administrator's own authenticated session, the code silently created hidden administrator accounts and installed a self-hiding backdoor plugin — handing the attackers persistent, privileged access to compromised sites. Awesome Motive said the tampered scripts were served for a short period starting 12 June: OptinMonster and TrustPulse were affected briefly that evening, while some PushEngage CDN nodes kept serving the malicious payload until around 19:02 UTC on 14 June.

Why it matters

This was a classic CDN supply-chain compromise: a single stolen API key turned trusted, centrally hosted scripts into a delivery channel for backdoors across potentially over a million sites, with no malicious file ever written to the victim servers themselves. Because the payload weaponised the session of whichever administrator happened to load it, detection and clean-up are harder than a conventional plugin update hack. Awesome Motive said it remediated the marketing site, migrated it to a new server and rotated all credentials including the CDN API key, but site owners running the affected plugins were urged to audit for unexpected administrator accounts and unknown plugins.

Timeline

June 12, 2026

Tampered scripts begin serving from Awesome Motive's CDN; malicious code is delivered to OptinMonster and TrustPulse users for a short window the same evening (around 22:17–22:42 UTC).

June 13, 2026

Security firm Sansec discloses the malicious JavaScript found across the OptinMonster, TrustPulse and PushEngage CDN scripts.

June 14, 2026

PushEngage CDN nodes continue serving the malicious payload until around 19:02 UTC; Awesome Motive remediates the marketing site, migrates servers and rotates all credentials including the CDN API key.

Sources

sansec.iohttps://sansec.io/research/optinmonster-supply-chain-attack

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/optinmonster-wordpress-plugin-hacked-in-cdn-supply-chain-attack/

thehackernews.comhttps://thehackernews.com/2026/06/popular-wordpress-plugin-scripts.html

patchstack.comhttps://patchstack.com/articles/supply-chain-attack-on-optinmonster-trustpulse-and-pushengage-tampered-cdn-scripts-auto-creating-rogue-admins/

securityaffairs.comhttps://securityaffairs.com/193616/malware/supply-chain-attack-hits-popular-wordpress-plugins-through-awesome-motive-cdn.html

infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/wordpress-plugin-supply-chain/

Related incidents

Supply chainOngoingJune 11, 2026

'Atomic Arch' supply-chain attack hijacks 400+ Arch Linux AUR packages to deploy a credential stealer and eBPF rootkit

Sonatype researchers uncovered 'Atomic Arch,' a supply-chain campaign in which attackers adopted hundreds of orphaned Arch User Repository packages and rewrote their build scripts to install a malicious npm package that drops a Linux credential stealer with optional eBPF rootkit capabilities.

Victim: Arch User Repository (AUR)

Supply chainContainedJune 5, 2026

Miasma worm hits 73 Microsoft GitHub repositories in supply-chain attack (2026)

A self-replicating supply-chain worm dubbed Miasma compromised 73 repositories across four Microsoft GitHub organisations, planting configuration files that harvested cloud and developer credentials when the projects were opened in AI coding agents such as Claude Code and Cursor.

Victim: Microsoft (GitHub repositories)

Supply chainContainedJune 4, 2026

IronWorm self-propagating malware hits 36 npm packages (2026)

Researchers disclosed IronWorm, a Rust-based, self-propagating infostealer that compromised 36 npm packages, stealing developer and CI secrets and republishing trojanized packages using stolen npm publishing credentials.

Victim: npm (Node Package Manager registry)

Credential stuffingResolvedOctober 20, 2023

Okta support case-management system breach

A threat actor used a stolen service-account credential — exposed via an employee's personal Google account — to access Okta's customer support case-management system, reading HAR files that contained session tokens and enabling session-hijacking against customers including 1Password, BeyondTrust and Cloudflare.

Victim: Okta