OptinMonster, the popular lead-generation and conversion optimization WordPress plugin with over 1.4 million active installations, has been compromised in a CDN supply-chain attack that also affected sibling products TrustPulse and PushEngage. The attack, discovered by e-commerce security firm Sansec over the weekend of June 13-14, 2026, allowed threat actors to inject malicious JavaScript into websites by compromising the parent company Awesome Motive’s content distribution network.
\n\n
\n\n
What Happened
\n\n
Attackers gained access to a server in Awesome Motive’s environment by exploiting a known vulnerability in the UpdraftPlus WordPress plugin. This server hosted a marketing website and, while it was not connected to the company’s production infrastructure or data systems, it stored credentials for Awesome Motive’s CDN account. The attackers stole these CDN API keys and used them to modify JavaScript files distributed through the CDN, causing any website loading those scripts to silently execute malicious code.
\n\n
The malicious scripts were served during a narrow window on June 12, 2026:
\n\n
- \n
- OptinMonster & TrustPulse: 22:17 UTC to 22:42 UTC (approximately 25 minutes)
- PushEngage: Continued serving malicious code until approximately 19:02 UTC on Saturday, June 13
\n
\n
\n\n
The affected CDN JavaScript files were:
\n\n
- \n
a.omappapi.com/app/js/api.min.js— OptinMonstera.opmnstr.com/app/js/api.min.js— OptinMonstera.optnmstr.com/app/js/api.min.js— OptinMonstera.trstplse.com/app/js/api.min.js— TrustPulse
\n
\n
\n
\n
\n\n
\n\n
Malicious Payload and Attacker Activity
\n\n
The injected JavaScript was designed to trigger only when a WordPress administrator visited a page on an infected website. Upon execution, the malware would:
\n\n
- \n
- Harvest authentication tokens and nonces from the administrator’s session
- Use the stolen credentials to create a rogue administrator account with usernames such as
developer_api1ordev_xxxxxx - Install a self-hiding backdoor plugin that evades detection in the WordPress admin interface
- Establish a command-and-control channel to a domain impersonating Tidio (a legitimate customer communication platform) to exfiltrate newly captured data
\n
\n
\n
\n
\n\n
The backdoor plugin provided attackers with full remote access capabilities, including a web shell (disguised as “WPM File Manager & Shell”) and arbitrary PHP code execution. Sansec researchers observed the plugin rotating its disguise while keeping its malicious logic byte-identical across renames:
\n\n
- \n
- “Content Delivery Helper” (
content-delivery-helper, v2.7.1) - “Database Optimizer” (
database-optimizer, v2.9.4)
\n
\n
\n\n
This is a classic supply-chain attack: rather than compromising websites directly, the attackers poisoned a trusted distribution channel (the CDN), causing downstream consumers to load malicious code without any action on their part.
\n\n
\n\n
Scope of Impact
\n\n
With over 1.4 million websites using OptinMonster alone, and additional sites running TrustPulse and PushEngage, the potential blast radius is enormous. Any WordPress administrator who visited their site’s frontend or admin panel while the malicious CDN scripts were being served could have had their session credentials stolen, leading to full site compromise.
\n\n
Awesome Motive has stated that its application servers, source code, and plugin hosting servers were not compromised, and that account data and personal details held by the company were not accessed. However, the attacker continues to have access to any compromised websites where rogue administrator accounts and hidden backdoor plugins remain in place.
\n\n
\n\n
How to Detect and Fix
\n\n
Immediate Actions
\n\n
- \n
- Check for rogue administrator accounts. Look for users named
developer_api1or any account following the patterndev_xxxxxx. Remove any unrecognized admin accounts immediately. - Inspect the filesystem for hidden backdoor plugins. Directly examine
wp-content/plugins/for directories namedcontent-delivery-helper,database-optimizer, or any other unfamiliar plugin names that do not appear in the WordPress admin Plugins page. Backdoor plugins may be hidden from the admin UI. - Scan for web shells and unauthorized PHP files. Look for any suspicious PHP files, particularly those referencing file management or shell functionality.
- Rotate all credentials. Change all WordPress administrator passwords, application passwords, and API keys. Also regenerate WordPress salts in
wp-config.phpto invalidate all existing sessions.
\n
\n
\n
\n
\n\n
CDN Integrity Verification
\n\n
- \n
- Verify CDN script integrity. Compare the hashes of locally cached or currently served CDN scripts against known-good versions. Awesome Motive has since removed the malicious content and rotated the CDN API key.
- Clear all caches. Purge CDN caches, browser caches, and any server-side caching layers (such as WP Rocket, LiteSpeed Cache, or server-level caching) to ensure the clean versions of scripts are served.
- Implement Subresource Integrity (SRI). Add
integrityattributes to<script>tags that load external CDN resources. SRI allows the browser to verify that fetched scripts have not been tampered with by comparing against a cryptographic hash. Example:
\n
\n
\n\n
<script src="https://a.omappapi.com/app/js/api.min.js"\n integrity="sha384-[base64-encoded-hash]"\n crossorigin="anonymous"></script>\n\n
Generate SRI hashes using tools like the SRI Hash Generator or via the command line:
\n\n
openssl dgst -sha384 -binary api.min.js | openssl base64 -A\n\n
\n\n
\n\n
Recommendations
\n\n
- \n
- Assume compromise if you were in the window. If your site loads OptinMonster, TrustPulse, or PushEngage scripts and was visited by an administrator during the attack window on June 12-13, proceed as if your site has been compromised. The narrow attack window means statistically many sites were not affected, but the only safe posture is to investigate.
- Audit third-party script dependencies. This attack demonstrates the risk of loading JavaScript from external CDNs without integrity checks. Perform an inventory of all third-party scripts loaded on your site and assess the trust model for each.
- Adopt SRI universally. Subresource Integrity is a mature, widely supported browser feature that could have prevented this attack entirely. If the CDN script is tampered with, the browser would refuse to execute it, protecting end users even when the CDN is compromised.
- Harden WordPress administration. Enforce strong passwords, implement two-factor authentication for all admin accounts, limit the number of administrator users, and monitor for unauthorized account creation.
- Keep all plugins updated. The initial access vector was a known vulnerability in UpdraftPlus. Prompt patching of all plugins and themes is essential defense-in-depth.
- Monitor for indicators of compromise. Watch for the rogue usernames (
developer_api1,dev_*), the malicious plugin names (content-delivery-helper,database-optimizer), and any outbound connections to domains impersonating Tidio or other customer communication platforms.
\n
\n
\n
\n
\n
\n
\n\n
\n\n
Awesome Motive’s Response
\n\n
Awesome Motive has taken the following steps to remediate the incident:
\n\n
- \n
- Remediated the compromised marketing website and migrated it to a new server
- Rotated all credentials, including the compromised CDN API key
- Removed the malicious JavaScript from all affected CDN files
- Published a security advisory detailing the incident and recommended actions
\n
\n
\n
\n
\n\n
The company confirmed that its application servers, source code, and systems storing user account information are hosted separately and were not breached.
\n\n
\n\n
References
\n\n
- \n
- BleepingComputer: OptinMonster WordPress plugin hacked in CDN supply-chain attack
- Sansec Research: OptinMonster Supply Chain Attack
- Awesome Motive Security Advisory
\n
\n
\n
\n\n
\n\n
Disclaimer: This information is provided for educational and defensive purposes only. Site owners should independently verify their exposure and follow the official guidance from Awesome Motive and security researchers.
