Over 1.2 million WordPress sites running OptinMonster were exposed to a supply-chain attack that served malicious JavaScript directly from Awesome Motive's CDN. Sansec spotted the breach over the weekend: between Friday June 12 at 22:17 UTC and Saturday June 13 at 19:02 UTC, three plugins - OptinMonster, TrustPulse, and PushEngage - were compromised. The malware only triggered when a WordPress admin visited an infected page, then stole authentication tokens and nonces to create a rogue admin account.
Attackers Exploited an UpdraftPlus Vulnerability to Steal CDN Credentials
Awesome Motive's own security advisory confirmed the initial breach vector: hackers exploited a known flaw in the UpdraftPlus WordPress plugin on a server that hosted a marketing website. That server held credentials for the company's CDN account but was not connected to production infrastructure. Using the stolen CDN API key, attackers modified JavaScript files served from a.omappapi.com, a.opmnstr.com, a.optnmstr.com, and a.trstplse.com. The malicious payload then silently loaded from the CDN onto end-user sites.
Self-Hiding Backdoor with Full Remote Access
Once a rogue admin account (look for usernames like developer_api1 or dev_xxxxxx) was created, the intruders installed a hidden backdoor plugin that rotated its disguise - Shipping as "Content Delivery Helper" (v2.7.1) and later as "Database Optimizer" (v2.9.4). Sansec noted the operator kept the logic byte-identical across renames. The backdoor provided a web shell ("WPM File Manager & Shell") and arbitrary PHP code execution, giving full control of compromised sites. Communication with a C2 server impersonating Tidio exfiltrated captured data.
Awesome Motive has since remediated the marketing site, rotated all credentials, and confirmed that application servers, source code, and plugin hosting servers were not directly breached. But the damage is already done: the malicious content has been removed from the CDN, but any compromised site that hasn't removed the rogue admin accounts and hidden plugins remains fully accessible to the attackers. Site owners should immediately scan for developer_api1 or dev_ prefixed admin users, inspect wp-content/plugins for suspicious entries, rotate all passwords and API keys, and run a server-side malware scan. This incident is a textbook reminder that a single exploited plugin with CDN access can turn a marketing server into a launchpad for infecting millions of sites.
Source: OptinMonster WordPress plugin hacked in CDN supply-chain attack
Domain: bleepingcomputer.com
Comments load interactively on the live page.