[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPYRUPrWkoHNU3Kh8y6R9An4jporcOm-Ngt_Upyw4mh4":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"745ae8a1-7972-423f-9483-08c0ed31bef5","OptinMonster WordPress plugin hacked in CDN supply-chain attack","optinmonster-wordpress-plugin-hacked-in-cdn-supply-chain-attack-e1ab59","WordPress plugins OptinMonster, TrustPulse, and PushEngage have been compromised in a supply-chain attack impacting Awesome Motive-s content distribution network (CDN). [...]","WordPress plugins OptinMonster, TrustPulse, and PushEngage were compromised through a supply-chain attack targeting Awesome Motive's CDN. Attackers exploited a vulnerability in UpdraftPlus to gain access to CDN credentials, injecting malicious scripts into JavaScript files. These scripts created rogue administrator accounts and installed backdoors on affected websites when an administrator visited an infected page.","OptinMonster, TrustPulse, and PushEngage WordPress plugins compromised via CDN supply-chain attack.","OptinMonster WordPress plugin hacked in CDN supply-chain attack By Bill Toulas June 15, 2026 01:37 PM 0 WordPress plugins OptinMonster, TrustPulse, and PushEngage have been compromised in a supply-chain attack impacting Awesome Motive's content distribution network (CDN). Of the three products, the OptinMonster lead-generation and conversion optimization platform is the most popular, with at least 1.2 million websites using it. E-commerce security firm Sansec discovered the attack over the weekend and found that malicious scripts were served to unsuspecting OptinMonster and TrustPulse users on Friday between 22:17 UTC and 22:42 UTC. PushEngage continued to serve malicious JavaScript code until 19:02 UTC on Saturday. The malware triggered only when a WordPress administrator visited a page on an infected website, collecting authentication tokens and nonces, and using them to create a rogue administrator account. The intruders then installed a self-hiding backdoor plugin and established a communication channel with a domain impersonating Tidio to send any newly captured data. The plugin also provided full remote access capabilities, including a web shell (\"WPM File Manager & Shell\") and arbitrary PHP code execution, granting attackers full control of compromised websites. “The operator rotates the plugin's disguise while keeping the logic byte-identical across renames,” Sansec says. “We have observed it shipping as \"Content Delivery Helper\" (content-delivery-helper, v2.7.1) and, currently, as \"Database Optimizer\" (database-optimizer, v2.9.4).” Awesome Motive published a security advisory earlier today about the incident, explaining that hackers gained access to a server in its environment after exploiting a known flaw in the UpdraftPlus WordPress plugin. This server hosted a marketing website and was not connected to the company’s production infrastructure or data systems; however, it hosted credentials for the company's CDN account, which the hackers stole. Using the stolen CDN API key, the attackers modified JavaScript files distributed via Awesome Motive's CDN, causing websites to silently load malicious code directly from the CDN. The affected files are: a.omappapi.com\u002Fapp\u002Fjs\u002Fapi.min.js – OptinMonster a.opmnstr.com\u002Fapp\u002Fjs\u002Fapi.min.js – OptinMonster a.optnmstr.com\u002Fapp\u002Fjs\u002Fapi.min.js – OptinMonster a.trstplse.com\u002Fapp\u002Fjs\u002Fapi.min.js – TrustPulse Awesome Motive reports that the malicious scripts were served for a short period on June 12 for OptinMonster and Trust Pulse, albeit not confirming the impact on PushEngage. “We have since remediated the marketing site, migrated it to a new server, and rotated all credentials, including the CDN API key,”Awesome Motive stated. The company also assured that its application servers, source code, and plugin hosting servers were not compromised. “Our application servers, our source code, and the systems that store your OptinMonster and TrustPulse account information are hosted separately and were not breached,” stated the publisher. “We have no evidence that account data or personal details held by us were accessed.” Site owners who might have been affected are recommended to: Check for, and remove rogue admin accounts ‘developer_api1’ or ‘dev_xxxxxx’ Inspect the filesystem directly under wp-content\u002Fplugins for hidden backdoor plugins Execute server-side malware scans Rotate administrator passwords, API keys, database credentials, and WordPress security salts. While the malicious content has been removed, the attacker continues to have access to compromised websites as long as the rogue administrator accounts and hidden backdoor plugins are still present. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: GitHub disables Microsoft repos pushing password-stealing malwareNew Shai-Hulud attack trojanizes 19 science-focused PyPI packagesNew IronWorm malware hits 36 packages in npm supply-chain attackNew Shai-Hulud malware wave compromises 600 npm packagesShai Hulud attack ships signed malicious TanStack, Mistral npm packages","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Foptinmonster-wordpress-plugin-hacked-in-cdn-supply-chain-attack\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F06\u002F15\u002FOptinMonster.jpg","2026-06-15T17:37:07+00:00","2026-06-15T18:00:19.485403+00:00",8,[18,21,23,25,28,30],{"name":19,"type":20},"OptinMonster","product",{"name":22,"type":20},"TrustPulse",{"name":24,"type":20},"PushEngage",{"name":26,"type":27},"Awesome Motive","vendor",{"name":29,"type":20},"UpdraftPlus",{"name":31,"type":32},"CDN","technology","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":33,"icon":35,"name":36,"slug":37},null,"Supply Chain","supply-chain",[39,41,46],{"category":40},{"id":33,"icon":35,"name":36,"slug":37},{"category":42},{"id":43,"icon":35,"name":44,"slug":45},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":47},{"id":48,"icon":35,"name":49,"slug":50},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[52,56,58,60,63],{"type":53,"value":54,"context":55},"domain","a.omappapi.com","Malicious CDN domain for OptinMonster",{"type":53,"value":57,"context":55},"a.opmnstr.com",{"type":53,"value":59,"context":55},"a.optnmstr.com",{"type":53,"value":61,"context":62},"a.trstplse.com","Malicious CDN domain for TrustPulse",{"type":45,"value":64,"context":65},"WPM File Manager & Shell","Backdoor plugin used by attackers"]