Posted in

WordPress Supply Chain Attack Hits PushEngage, OptinMonster, and TrustPulse Users

by admin0

A large-scale supply chain attack has compromised WordPress websites using the popular marketing plugins PushEngage, OptinMonster, and TrustPulse. Security researchers discovered that attackers modified trusted JavaScript files delivered through content delivery networks (CDNs), allowing them to gain administrative access to affected websites.

The attack specifically targeted logged-in WordPress administrators. When an administrator loaded the malicious script, the code automatically created a rogue admin account and installed a hidden backdoor plugin, giving attackers persistent access to the site.

Security experts warn that any website exposed during the attack window should be considered potentially compromised and thoroughly investigated.

Supply Chain Attack Targets Trusted Plugin Infrastructure

The incident was first disclosed by cybersecurity firm Sansec on June 13, which identified malicious JavaScript code being served through all three plugins. The affected plugins are owned by Awesome Motive, the company behind several popular WordPress products.

A day later, PushEngage confirmed the incident, acknowledging that attackers had served tampered versions of its JavaScript files. According to the company, websites loading the modified scripts could be taken over if a WordPress administrator was logged in at the time.

While PushEngage has released official guidance and updates regarding the breach, users of OptinMonster and TrustPulse have yet to receive public advisories from the vendor.

Different Exposure Windows Across Plugins

Researchers found that the malicious code was active for varying periods depending on the plugin.

  • OptinMonster and TrustPulse reportedly served the malicious script for approximately 25 minutes on June 12.
  • The compromised code was first observed around 22:17 UTC and removed by approximately 22:42 UTC.
  • PushEngage experienced a longer exposure period, with malicious scripts remaining available for several hours on June 12 and continuing to be served from some CDN servers until June 14.

Despite the shorter exposure window, OptinMonster represents the largest potential attack surface due to its massive user base.

More Than 1.2 Million Sites Potentially Exposed

Sansec estimates that the three affected plugins collectively reach over 1.2 million websites.

The estimated installation numbers include:

  • OptinMonster: More than 1 million active installations
  • PushEngage: Over 9,000 WordPress installations
  • TrustPulse: Additional active installations contributing to the overall reach

It is important to note that these figures represent potential exposure rather than confirmed compromises.

How the Attack Worked

The malicious JavaScript was designed to remain inactive during normal website visits. Instead, it only executed when a logged-in WordPress administrator accessed a page containing the compromised script.

Once triggered, the malware:

  1. Leveraged the administrator’s active session.
  2. Created a new administrator account controlled by the attacker.
  3. Installed a hidden plugin designed to evade dashboard detection.
  4. Transmitted newly created login credentials and site details to an attacker-controlled server.

Because the attack relied on existing administrator privileges, no password theft or brute-force activity was required.

Hidden Backdoor Enables Long-Term Access

The most dangerous component of the attack was the hidden plugin installed after compromise.

Researchers found that the plugin functioned as a web shell, allowing attackers to remotely execute commands on the affected server.

With this level of access, threat actors could:

  • Modify website files
  • Steal databases
  • Inject malicious code
  • Install additional malware
  • Redirect website visitors
  • Deploy payment card skimmers
  • Exfiltrate sensitive information

Security experts caution that simply removing the malicious plugin or rogue administrator account may not completely eliminate the threat, as attackers could have installed additional persistence mechanisms.

Suspicious Domain Used for Data Exfiltration

According to investigators, compromised websites transmitted data to the domain tidio[.]cc, which was designed to resemble the legitimate customer service platform Tidio.

Researchers discovered that the fraudulent domain had been registered on April 28, weeks before the attack occurred. This suggests a carefully planned operation rather than an opportunistic intrusion.

The malicious infrastructure also communicated with the IP address:

84.201.6.54

Organizations are advised to review historical logs for connections to these indicators.

Debate Continues Over Initial Entry Point

The exact cause of the compromise remains under investigation.

PushEngage claims the attackers first gained access through a known vulnerability affecting a server used for its marketing website. According to the company, the attackers exploited a flaw in the UpdraftPlus backup plugin and obtained a CDN API key stored on that server.

With access to the CDN credentials, attackers were allegedly able to modify JavaScript files delivered to customer websites without compromising the core PushEngage platform.

However, Sansec has not confirmed this explanation. Researchers state that the original breach point remains unknown and could involve:

  • Awesome Motive infrastructure
  • CDN account credentials
  • Other internal systems

At this stage, the root cause remains unverified.

What Website Owners Should Do Immediately

Organizations using PushEngage, OptinMonster, or TrustPulse during the affected period should assume possible compromise and perform a full investigation.

1. Conduct a Server-Side Security Scan

A WordPress dashboard review is insufficient because the malicious plugin was designed to remain hidden.

Perform a direct filesystem scan of the server to identify unauthorized files and modifications.

2. Search for Known Malicious Plugins

Inspect the wp-content/plugins directory for suspicious folders, including:

  • content-delivery-helper
  • database-optimizer

Any unexpected plugins should be investigated immediately.

3. Review Administrator Accounts

Check for unauthorized administrator accounts, particularly:

  • developer_api1
  • Accounts matching the pattern dev_xxxxxx

Remove any accounts that were not intentionally created by your team.

4. Analyze Server Logs

Review logs from June 12 through June 14 for:

  • Requests to tidio[.]cc
  • Connections involving /cdn-cgi/ paths
  • Traffic directed to 84.201.6.54

These indicators may help determine whether your site was affected.

5. Rotate All Credentials

If any indicators of compromise are discovered:

  • Change all WordPress administrator passwords
  • Rotate API keys
  • Update database credentials
  • Regenerate WordPress security salts in wp-config.php

Because attackers achieved remote code execution, additional hidden backdoors may still exist.

Final Thoughts

This incident highlights the growing threat posed by software supply chain attacks. By compromising trusted third-party scripts, attackers were able to target WordPress administrators and gain full control of affected websites without exploiting the sites directly.

Website owners using PushEngage, OptinMonster, or TrustPulse during the attack period should perform immediate server-level investigations and treat any signs of compromise as a serious security incident. As supply chain attacks continue to rise, organizations must closely monitor third-party dependencies and implement continuous security auditing practices.

Leave a Reply

Your email address will not be published. Required fields are marked *