OptinMonster CDN – A supply-chain attack tied to Awesome Motive’s CDN compromised WordPress plugin delivery, pushing malicious JavaScript to OptinMonster and TrustPulse users and only triggering when a WordPress administrator visited the infected page. The attack aimed to steal
By the time many site owners realized something was wrong, the damage had already been done quietly—malicious code served through a trusted delivery network, timed to specific visitors and hidden behind a rotating disguise.
OptinMonster and TrustPulse users were caught in a supply-chain attack that compromised WordPress plugins and redirected the plugins’ content through Awesome Motive’s content distribution network (CDN). OptinMonster is the best-known of the three affected products, with at least 1.2 million websites using it.
Security firm Sansec discovered the incident over the weekend. It found malicious scripts were served to unsuspecting OptinMonster and TrustPulse users on Friday between 22:17 UTC and 22:42 UTC.
PushEngage was hit too—but not the same way. It continued to serve malicious JavaScript code until 19:02 UTC on Saturday. In the immediate aftermath, the scope for PushEngage impact was not confirmed.
What made the attack particularly dangerous wasn’t just that it delivered malware. It was how it decided when to act.
The malicious code triggered only when a WordPress administrator visited a page on an infected website. At that moment, it collected authentication tokens and nonces. Those details were then used to create a rogue administrator account.
Once the attacker had that foothold, the next steps were designed to keep control and vanish from view. The intruders installed a self-hiding backdoor plugin and established communication with a domain impersonating Tidio to send any newly captured data.
The backdoor didn’t stop at stealth. It provided full remote access capabilities, including a web shell labeled “WPM File Manager & Shell,” along with arbitrary PHP code execution—features that effectively hand attackers complete control of compromised websites.
Sansec also described a detail that can frustrate defenders: the operator rotated the plugin’s disguise while keeping the underlying logic byte-identical across renames. The malware was shipped as “Content Delivery Helper” (content-delivery-helper, v2.7.1) and later as “Database Optimizer” (database-optimizer, v2.9.4).
Awesome Motive’s own advisory. published earlier today. points to a different entry point: hackers gained access to a server in its environment by exploiting a known flaw in the UpdraftPlus WordPress plugin. That server hosted a marketing website and was not connected to the company’s production infrastructure or data systems.
But it hosted credentials for the company’s CDN account—and those credentials were stolen.
With a stolen CDN API key, the attackers modified JavaScript files distributed via Awesome Motive’s CDN. The result was that websites could silently load malicious code directly from the CDN.
The affected files were identified as:
a.omappapi.com/app/js/api.min.js – OptinMonster
a.opmnstr.com/app/js/api.min.js – OptinMonster
a.optnmstr.com/app/js/api.min.js – OptinMonster
a.trstplse.com/app/js/api.min.js – TrustPulse
Awesome Motive said malicious scripts were served for a short period on June 12 for OptinMonster and Trust Pulse, without confirming the impact on PushEngage.
The company said it has already remediated the marketing site, migrated it to a new server, and rotated all credentials—including the CDN API key.
It also insisted the wider systems were not compromised. “Our application servers. our source code. and the systems that store your OptinMonster and TrustPulse account information are hosted separately and were not breached. ” the publisher stated. It added: “We have no evidence that account data or personal details held by us were accessed.”.
Even with the CDN cleaned up, the threat doesn’t end the moment the malicious scripts stop. Awesome Motive warned that attackers can continue to have access to compromised websites as long as the rogue administrator accounts and hidden backdoor plugins remain.
Site owners who might have been affected were told to take several steps: check for and remove rogue admin accounts named ‘developer_api1’ or ‘dev_xxxxxx’; inspect the filesystem directly under wp-content/plugins for hidden backdoor plugins; execute server-side malware scans; and rotate administrator passwords. API keys. database credentials. and WordPress security salts.
Sansec’s findings and Awesome Motive’s advisory together trace a clear path: a compromised marketing environment and stolen CDN access turned the plugin delivery layer into the attacker’s distribution channel, then used administrator visits to convert “infected page” into “full website control.”
OptinMonster TrustPulse PushEngage Awesome Motive CDN supply chain attack WordPress plugin hack JavaScript malware rogue admin accounts backdoor plugin web shell authentication tokens nonces UpdraftPlus vulnerability