OptinMonster supply chain attack hits 1.2 million sites | Sansec 112) {<br>this.ssScrolled = true;<br>} else if (window.pageYOffset Scan your store now<br>Scan your<br>store now
Scan your store now!
OptinMonster supply chain attack hits 1.2 million sites
by Sansec Forensics Team<br>Published in Threat Research − June 13, 2026
Malware adds admin accounts and hidden backdoor to sites using OptinMonster, TrustPulse or PushEngage plugins.
Sansec discovered an active supply-chain attack hitting over 1.2 million sites that use the popular OptinMonster, TrustPulse and PushEngage Wordpress plugins, all operated by Wordpress giant Awesome Motive.<br>Attackers added malicious JavaScript to the legitimate files served by Awesome Motive, which are embedded in their customer's sites.<br>The malware waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin. It then sends the new credentials to tidio.cc, a lookalike of the real tidio.com. The campaign is ongoing as of 13 June 2026.<br>The OptinMonster plugin alone has over a million active WordPress installations, and TrustPulse and PushEngage add many more. The payload only fires for logged-in admins, not for ordinary visitors. But as the threat actor effectively gains full control of individual sites, further abuse of regular visitors is to be expected.<br>Meanwhile, OptinMonster customers are complaining about a service outage.<br>Awesome Motive runs one of the largest WordPress plugin portfolios in the world, used across tens of millions of sites. Other products include WPForms (over 6 million active installs), MonsterInsights (around 2 million) and All in One SEO (around 3 million). So far we have only confirmed a breach of OptinMonster, TrustPulse and PushEngage code, but anyone running an Awesome Motive plugin should stay alert, watch the indicators below, and patch as the company responds.<br>Supply chain jackpot<br>The malicious code was pushed to 1m+ Wordpress sites via Awesome Motive's CDN endpoints. Any WordPress site loading one of these scripts pulled the tampered file directly from the source:<br>HostBranda.omappapi.com/app/js/api.min.jsOptinMonstera.opmnstr.com/app/js/api.min.jsOptinMonstera.optnmstr.com/app/js/api.min.jsOptinMonstera.trstplse.com/app/js/api.min.jsTrustPulseclientcdn.pushengage.com/sdks/pushengage-web-sdk.jsPushEngageThis resembles the Polyfill supply chain attack that Sansec discovered in 2024: tamper with a single upstream file, and the malware reaches thousands of downstream sites without ever touching them individually.<br>What the injected JavaScript does<br>The payload is heavily gated and runs in stages:<br>It exits immediately on navigator.webdriver, headless browsers, or a zero-size window. It only proceeds if it detects a WordPress admin context: a wp-admin path, the admin bar, or a wordpress_logged_in_ cookie. A 24-hour throttle stored in localStorage['_pe_ts'] keeps it from running repeatedly.<br>It locates the WordPress root and admin path, fingerprints the WordPress version, and harvests REST and AJAX nonces (wpApiSettings.nonce, admin-ajax.php?action=rest-nonce, and scraped from user-new.php).<br>It creates an administrator using four fallback methods in sequence: the user-new.php form, admin-ajax.php, the REST endpoint wp/v2/users, and finally a hidden iframe form submit. It even recognises "user already exists" responses in roughly twenty languages. It plants a fixed account, developer_api1 / customer1usx@gmail.com, plus randomised dev_xxxxxx accounts.<br>It silently uploads a self-hiding PHP plugin.<br>The new admin user:password, site origin, logout URL, admin path, method, timing and WordPress version are XOR-encrypted (key jX9kM2nP4qR6sT8v), base64-encoded, and sent to tidio.cc/cdn-cgi/*. Delivery falls back through sendBeacon, then fetch (no-cors), then XHR, then an Image().src beacon.<br>The self-hiding backdoor plugin<br>The plugin that gets installed is built to disappear. It hides itself from the user list, the plugin list (both the admin screen and the REST /wp/v2/plugins endpoint), update checks, and the "recently active" list. On init, with no authentication required, it exposes two entry points:<br>?developer_api1_fm opens a web shell branded "WPM File Manager & Shell", which runs system($_POST['cmd']) and accepts file uploads.<br>A POST to developer_api1_eval runs eval(base64_decode(...)) on attacker-supplied input.<br>The operator rotates the plugin's disguise while keeping the logic byte-identical across renames. We have observed it shipping as "Content Delivery Helper" (content-delivery-helper, v2.7.1) and, currently, as "Database Optimizer" (database-optimizer, v2.9.4). The plugin ZIP is generated fresh on each request: the script fetches tidio.cc/cdn-cgi/{pe-,}l?t=gen&u=developer_api1, which returns a base64 blob that decodes through the same XOR key into the plugin id, slug and ZIP.<br>Active exploitation<br>Our friends at Patchstack quickly created detection rules and reported blocking 271 rogue-admin attempts...