OptinMonster Supply Chain Attack: WordPress Sites Get Hidden Backdoors

by Emma Davis
2 minutes ago

OptinMonster, TrustPulse and PushEngage scripts were tampered in a WordPress supply-chain attack that planted hidden admins and backdoors.

WordPress site owners using OptinMonster, TrustPulse or PushEngage should check their servers, not just the dashboard, after researchers found a supply-chain attack that turned trusted plugin scripts into a way to create hidden administrator accounts and install backdoor plugins.[1]

Sansec said on June 13, 2026 that malicious JavaScript was served through files used by the three Awesome Motive products, reaching a plugin footprint of more than 1.2 million sites. That number is exposure, not confirmed infections: the payload only ran when a logged-in WordPress administrator loaded the affected script.[1] PushEngage then published its own incident notice on June 14, confirming that a CDN credential had been abused to serve tampered JavaScript to customer sites for a limited window.[2]

Editorial cartoon showing a trusted WordPress script delivery hiding a backdoor admin account
The delivery looked trusted. The hidden admin badge did not.

The story matters because the attacker did not need to compromise each WordPress install one by one. A site could load a normal-looking vendor script and, if an administrator session was present, the script could use that session to act with full privileges. It attempted to create a rogue admin account, install a concealed plugin, and send site/login details to tidio[.]cc, a lookalike domain unrelated to the legitimate Tidio service.[1]

The attack also differs from a normal plugin vulnerability. The code was delivered from upstream script endpoints, so simply checking whether the local plugin files look current is not enough. Sansec listed OptinMonster and TrustPulse exposure around 22:17-22:42 UTC on June 12, while PushEngage said its tampered files were present for several hours on June 12 and, for a subset of users, continued from some CDN edge locations until June 14.[1][2]

PushEngage says its application servers, source code and customer account-data systems were separate and not breached. Its explanation is that an attacker reached the marketing website through a known UpdraftPlus issue, found a CDN API key there, and used that key to alter the JavaScript served to sites embedding PushEngage scripts.[2] Sansec treats the wider entry point as still unsettled for the three-product campaign, which is why site owners should focus on local compromise indicators rather than waiting for a perfect root-cause answer.

What WordPress admins should check now

If any of the three products was active during the June 12-14 UTC window, treat admin-session exposure as plausible until you have checked the server. Start with the filesystem under wp-content/plugins, because the backdoor plugin was designed to hide from the WordPress dashboard and REST plugin list. Sansec named two observed plugin disguises: content-delivery-helper / “Content Delivery Helper” and database-optimizer / “Database Optimizer”.[1]

Next, review administrator accounts for developer_api1, [email protected], and unexpected dev_xxxxxx-style accounts. Server logs should be checked for requests or outbound callbacks involving tidio.cc, /cdn-cgi/ paths, and the IP address 84.201.6.54. If any indicator appears, rotate WordPress admin passwords, database credentials, API keys and WordPress salts, then assume there may be more than one persistence point.

For howtofix.guide readers, the practical lesson is the same one seen in earlier WordPress admin-takeover incidents such as Kirki CVE-2026-8206 and WP Maps Pro CVE-2026-8732: when admin privileges are abused, the dashboard is not the full source of truth. This campaign also fits the broader supply-chain pattern seen in package ecosystems, including the Mini Shai-Hulud npm/PyPI compromise. The difference here is that the browser delivered the malicious code through trusted marketing and push-notification scripts.

There is also one useful historical cross-check: OptinMonster has appeared in WordPress security news before, including a 2021 OptinMonster vulnerability. That older issue is separate from this supply-chain event, but it is a reminder that high-install WordPress marketing plugins deserve the same monitoring as login, backup and ecommerce components.

References

  1. Sansec Forensics Team, “OptinMonster supply chain attack hits 1.2 million sites,” June 13, 2026.
  2. PushEngage, “Security Incident: Tampered Script Served via PushEngage,” last updated June 14, 2026.
  3. The Hacker News, “Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites,” June 15, 2026.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment