WordPress plugins OptinMonster, TrustPulse, and PushEngage have been compromised in a supply-chain attack impacting Awesome Motive’s content distribution network (CDN).
Of the three products, the OptinMonster lead-generation and conversion optimization platform is the most popular, with at least 1.2 million websites using it.
E-commerce security firm Sansec discovered the attack over the weekend and found that malicious scripts were served to unsuspecting OptinMonster and TrustPulse users on Friday between 22:17 UTC and 22:42 UTC.
PushEngage continued to serve malicious JavaScript code until 19:02 UTC on Saturday.
The malware triggered only when a WordPress administrator visited a page on an infected website, collecting authentication tokens and nonces, and using them to create a rogue administrator account.
The intruders then installed a self-hiding backdoor plugin and established a communication channel with a domain impersonating Tidio to send any newly captured data.
The plugin also provided full remote access capabilities, including a web shell (“WPM File Manager & Shell”) and arbitrary PHP code execution, granting attackers full control of compromised websites.
“The operator rotates the plugin’s disguise while keeping the logic byte-identical across renames,” Sansec says.
“We have observed it shipping as “Content Delivery Helper” (content-delivery-helper, v2.7.1) and, currently, as “Database Optimizer” (database-optimizer, v2.9.4).”
Awesome Motive published a security advisory earlier today about the incident, explaining that hackers gained access to a server in its environment after exploiting a known flaw in the UpdraftPlus WordPress plugin.
This server hosted a marketing website and was not connected to the company’s production infrastructure or data systems; however, it hosted credentials for the company’s CDN account, which the hackers stole.
Using the stolen CDN API key, the attackers modified JavaScript files distributed via Awesome Motive’s CDN, causing websites to silently load malicious code directly from the CDN.
The affected files are:
- a.omappapi.com/app/js/api.min.js – OptinMonster
- a.opmnstr.com/app/js/api.min.js – OptinMonster
- a.optnmstr.com/app/js/api.min.js – OptinMonster
- a.trstplse.com/app/js/api.min.js – TrustPulse
Awesome Motive reports that the malicious scripts were served for a short period on June 12 for OptinMonster and Trust Pulse, albeit not confirming the impact on PushEngage.
“We have since remediated the marketing site, migrated it to a new server, and rotated all credentials, including the CDN API key,”Awesome Motive stated.
The company also assured that its application servers, source code, and plugin hosting servers were not compromised.
“Our application servers, our source code, and the systems that store your OptinMonster and TrustPulse account information are hosted separately and were not breached,” stated the publisher.
“We have no evidence that account data or personal details held by us were accessed.”
Site owners who might have been affected are recommended to:
- Check for, and remove rogue admin accounts ‘developer_api1’ or ‘dev_xxxxxx’
- Inspect the filesystem directly under wp-content/plugins for hidden backdoor plugins
- Execute server-side malware scans
- Rotate administrator passwords, API keys, database credentials, and WordPress security salts.
While the malicious content has been removed, the attacker continues to have access to compromised websites as long as the rogue administrator accounts and hidden backdoor plugins are still present.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
