Supply-chain attack on OptinMonster and related WordPress plugins compromises 1.2 million sites
By
Sansec Forensics Team
Summary
Sansec discovered an active supply-chain attack affecting over 1.2 million sites using OptinMonster, TrustPulse, and PushEngage WordPress plugins, all operated by Awesome Motive. Attackers injected malicious JavaScript into legitimate plugin files, which waits for a logged-in administrator to create a backdoor admin account and install a hidden backdoor plugin. The stolen credentials are sent to a lookalike domain (tidio.cc mimicking tidio.com). The campaign was ongoing as of June 13, 2026.
Source
Key quotes
· 5 pulledSansec discovered an active supply-chain attack hitting over 1.2 million sites that use the popular OptinMonster, TrustPulse and PushEngage Wordpress plugins, all operated by Wordpress giant Awesome Motive.
Attackers added malicious JavaScript to the legitimate files served by Awesome Motive, which are embedded in their customer's sites.
The malware waits for a logged-in administrator, creates a backdoor admin account, and installs a self-hiding backdoor plugin.
It then sends the new credentials to tidio.cc, a lookalike of the real tidio.com.
The campaign is ongoing as of 13 June 2026.
You might also wanna read
Large-Scale Supply Chain Attack: 30 WordPress Plugins Purchased and Backdoored
The article details a large-scale supply chain attack on WordPress plugins where an individual purchased 30 plugins and systematically plant
Supply Chain Attack Compromises Official GravityForms Plugin Repository
A supply chain attack compromised the official GravityForms plugin repository, injecting backdoors into legitimate plugin downloads. The bre

Polyfill supply chain attack embeds malware in JavaScript CDN assets
Supply Chain Attacks on Open-Source Software: Case Study of Malicious Pull Request Attempts
The article discusses recent supply chain attacks on open-source software projects like LiteLLM and axios, with a specific case study of att
Bitwarden CLI 2026.4.0 Compromised in Checkmarx Supply Chain Attack via GitHub Action
Socket researchers discovered that Bitwarden CLI version 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign. Th
Trust Wallet Chrome Extension Compromised in Supply Chain Attack, $7 Million Stolen
The Trust Wallet Chrome extension was compromised in a supply chain attack where malicious code in version 2.68 exfiltrated wallet seed phra

Comments
Sign in to join the conversation.
No comments yet. Be the first.