Supply Chain Attack on OptinMonster, TrustPulse, and PushEngage: Tampered CDN Scripts Auto-Creating Rogue Admins
A supply chain attack against three popular WordPress marketing plugins served tampered JavaScript from vendor CDNs, enabling attackers to create hidden admin accounts and deploy a backdoor on over 1.2 million potentially exposed sites.
On June 15, 2026, Patchstack disclosed a sophisticated supply chain attack targeting OptinMonster, TrustPulse, and PushEngage — three widely used WordPress marketing plugins under the Awesome Motive umbrella. The attack did not exploit a traditional plugin vulnerability; instead, attackers tampered with JavaScript SDK files served from the vendors' own CDNs. When a logged-in administrator visited a page loading one of these plugins, the injected code executed in their browser, using their valid session and nonces to silently create rogue admin accounts and install a self-hiding backdoor plugin. Because every malicious request appeared identical to legitimate admin activity at the network layer, the attack was difficult to detect and block without breaking normal functionality.
According to Patchstack's analysis, the breach began when attackers exploited a vulnerability in the UpdraftPlus plugin on OptinMonster's marketing website. From there, they obtained a CDN API key and used it to modify the JavaScript files served to customers at the edge. The targeted files included api.min.js from multiple subdomains for OptinMonster and TrustPulse, and pushengage-web-sdk.js for PushEngage. The malicious code was appended to the legitimate, minified SDK, so the plugin continued to function normally while the attacker's logic ran simultaneously. No plugin update was required — a fully up-to-date site could still be served the tampered script.
The timeline reveals careful preparation: the command-and-control domain tidio.cc was registered on April 28, 2026, nearly six weeks before the attack. Malware was first observed in the OptinMonster and TrustPulse CDNs on June 12 at 22:17 UTC, and last verified there the same day at 22:42 UTC. However, the PushEngage SDK continued serving injected code from certain CDN edges until June 13–14, as caches were slowly purged. Patchstack deployed mitigation rules and blocked 271 exploitation attempts across customer sites within 36 hours.
Patchstack's detailed breakdown of the payload reveals a staged routine designed to be stealthy. First, the script checks for headless browsers, automated tooling, and ensures it is running in a genuine WordPress admin context by looking for the admin bar and the wordpress_logged_in_ cookie. It stamps localStorage to avoid re-executing for 24 hours. Then it harvests a valid REST nonce — either from inline wpApiSettings, by requesting admin-ajax.php?action=rest-nonce, or by scraping the user creation page. With a valid nonce and the admin's cookies, the script can make authenticated requests as that user.
The core of the attack involves creating a rogue administrator via multiple methods in sequence until one succeeds: the WordPress REST API, the admin user-new.php form, admin-ajax.php, or even a hidden 1×1 invisible iframe that fills and submits the form automatically. The payload planted both a fixed identity ('developer_api1' / 'customer1usx@gmail.com') and randomized accounts ('dev_xxxxxx') in the administrator role. It even included a multi-language dictionary to detect whether the account was newly created or already existed, avoiding unnecessary noise.
Once the rogue admin account was established, the payload fetched a generated ZIP file from the C2 server and uploaded it as a plugin, installing a self-hiding backdoor. The backdoor masqueraded under random names, making it harder to identify. Given the scale of potential exposure — over 1.2 million sites according to Sansec — the incident underscores the inherent risk of relying on third-party CDNs for critical JavaScript SDKs. Even when plugins themselves are secure and up-to-date, a compromise at the CDN level can silently turn every administrator's browser into an attack vector, bypassing traditional WordPress security controls.
Patchstack recommends that site administrators using these plugins check for unexpected admin accounts and any recently uploaded plugins with obscure names, rotate all passwords and API keys, and review CDN configuration access controls. This incident serves as a stark reminder that supply chain security must extend beyond the plugin code itself to include the infrastructure that delivers it.
PushEngage, the only plugin whose CDN-served scripts remained compromised for an extended period (several hours on June 12 and residual cache hits into June 14), issued its own incident notice confirming the attack. The company attributed the initial breach to an authentication bypass in UpdraftPlus (CVE-2026-10795) that allowed access to its marketing server and subsequent theft of a CDN API key, though security firm Sansec has not confirmed this entry vector and treats the root cause as unsettled.