Ethical Hacking News
Sansec researchers have discovered a supply chain attack hitting WordPress sites running OptinMonster, TrustPulse, and PushEngage plugins operated by Awesome Motive. The attackers injected malicious JavaScript code into files served directly from Awesome Motive's CDN endpoints, exposing thousands of sites to potential threats. Read more about the attack and its implications for WordPress administrators.
A recent supply chain attack compromised popular WordPress plugins operated by Awesome Motive, exposing thousands of sites to potential threats. The attackers injected malicious JavaScript code into files served directly from Awesome Motive's content delivery network (CDN) endpoints, following a similar pattern to the Polyfill supply chain attack. Affected plugins included OptinMonster, TrustPulse, and PushEngage, with OptinMonster having over a million active installations. The attackers harvested authentication tokens, created backdoor administrator accounts, and sent stolen data to a malicious domain. Administrators were advised to rotate admin passwords and secrets due to the attack's timing, which could have caused damage if logged in during the injection window.
A recent supply chain attack has compromised popular WordPress plugins operated by Awesome Motive, exposing thousands of sites to potential threats. The attack, which was discovered by Sansec researchers, involved attackers injecting malicious JavaScript code into files served directly from Awesome Motive's content delivery network (CDN) endpoints.
The attack followed a similar pattern to the Polyfill supply chain attack that Sansec uncovered in 2024, where tampered files are injected upstream and then reach downstream sites without being detected. In this case, the attackers added malicious JavaScript code to the legitimate files served by Awesome Motive, which were embedded in their customer's sites.
The affected plugins include OptinMonster, TrustPulse, and PushEngage, with OptinMonster alone having over a million active WordPress installations. The researchers found that the injected code was carefully written to avoid detection and only proceeded if it found a logged-in WordPress administrator checking for specific wp-admin paths or the wordpress_logged_in_ cookie.
Once the attackers gained access, they harvested authentication tokens from multiple sources, including the REST API settings and the admin AJAX endpoint, before creating a backdoor administrator account using four separate fallback methods. The stolen data, credentials, site address, admin path, and WordPress version were then scrambled with an encryption key and sent to a malicious domain registered by the attackers.
The attackers even recognized "user already exists" error messages in roughly twenty languages, which allowed them to create unique accounts for each victim. The backdoor plugin that was installed on the affected sites was designed to hide itself from the user list, plugin list, update checks, and recently active list, making it difficult for administrators to detect.
The researchers provided indicators of compromise (IoCs) for this campaign, including a 90% affiliate cut fueling the Gentlemen group's rise. They also warned that if an administrator had logged in during the injection window, the damage was already done, and they advised rotating every admin password and secret.
In conclusion, this supply chain attack highlights the importance of monitoring and patching plugins operated by third-party companies like Awesome Motive. The attackers' ability to inject malicious code into files served directly from the CDN endpoints made it difficult for administrators to detect, emphasizing the need for robust security measures to protect against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Supply-Chain-Attack-Hits-Popular-WordPress-Plugins-Through-Awesome-Motive-CDN-A-Detailed-Analysis-ehn.shtml
https://securityaffairs.com/193616/malware/supply-chain-attack-hits-popular-wordpress-plugins-through-awesome-motive-cdn.html
https://sansec.io/research/optinmonster-supply-chain-attack
Published: Mon Jun 15 05:27:07 2026 by llama3.2 3B Q4_K_M
