“`html
A large-scale supply chain assault aimed at commonly utilized WordPress plugins has revealed over 1.2 million websites to possible breaches after intruders incorporated harmful code into legitimate JavaScript files disseminated via trusted CDN infrastructure.
Security analysts at Sansec uncovered an active campaign targeting plugins created by Awesome Motive, including OptinMonster, TrustPulse, and PushEngage.
These plugins are deployed on millions of WordPress sites globally, with OptinMonster alone exceeding one million active installations.
Instead of directly attacking specific websites, threat actors compromised upstream JavaScript files hosted on Awesome Motive’s CDN.
Any site loading these scripts unwittingly executed the injected malicious software, making this attack similar to prior extensive supply chain events.
The harmful payload is crafted to remain undetectable and triggers only when a WordPress administrator is signed in. It circumvents execution in headless browsers and automated environments, significantly minimizing the likelihood of detection during standard scans.
OptinMonster Plugin Exploit Exposes
Upon activation, the script recognizes the WordPress admin environment, collects site metadata, and extracts authentication tokens from REST and AJAX endpoints.
Using these tokens, the malware endeavors to create unauthorized administrator accounts via various methods, including REST API calls and form submissions.
The injected scripts were delivered through legitimate domains such as:
- a.omappapi.com
- a.opmnstr.com
- a.optnmstr.com
- a.trstplse.com
- clientcdn.pushengage.com
It achieves persistence by deploying both a fixed account known as developer_api1 and additional randomized accounts following the dev_xxxxxx pattern.
The purloined credentials, along with site information, are encrypted and sent to a command-and-control server hosted on the domain tidio.cc, which mimics a legitimate service to avoid suspicion.
To sustain long-term access, the attackers install a concealed backdoor plugin that is designed to evade detection. The plugin hides itself from the WordPress dashboard, API responses, update processes, and activity logs.
It grants attackers complete remote control of compromised websites by enabling arbitrary command execution and remote code execution through specially crafted requests.
Indicators of Compromise
Organizations should verify the following:
- Suspicious domains: tidio.cc (84.201.6.54).
- Illicit admin accounts: developer_api1 or dev_xxxxxx.
- Concealed plugins: content-delivery-helper or database-optimizer.
- Unique string: jX9kM2nP4qR6sT8v (XOR key).
Note: IP addresses and domains have been intentionally defanged (e.g., [.]) to prevent unintended resolution or hyperlinking. Re-fang only within regulated threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Sansec experts noticed that the plugin frequently changes its disguise, masquerading as legitimate tools such as “Content Delivery Helper” or “Database Optimizer.”
Active exploitation has been confirmed, with Patchstack preventing hundreds of attempts to create illicit administrator accounts across multiple sites, indicating real-world exploitation of the backdoor.
According to Awesome Motive, the incident was triggered by the exploitation of a vulnerability in the UpdraftPlus plugin.
Attackers reportedly accessed a server hosting marketing infrastructure, retrieved a CDN API key, and utilized it to implant harmful code into files distributed to customers.
The company has since eliminated the harmful scripts, rotated credentials, cleared CDN caches, and transitioned affected systems to new infrastructure.
Administrators utilizing the compromised plugins are strongly urged to assume potential breach if a logged-in admin session occurred during the attack period.
Immediate actions should involve auditing all administrator accounts for unauthorized entries, directly scanning the filesystem for hidden plugins, and rotating all credentials.
Since the malware activates solely during authenticated admin sessions, server-side inspection remains one of the most effective detection strategies.
This incident underscores the increasing threat of supply chain attacks in the WordPress ecosystem, where compromising a single trusted source can result in widespread repercussions across millions of websites.
“`