324/69 Tuesday, June 16, 2026
Security researchers have disclosed a supply chain attack affecting WordPress websites using Awesome Motive’s OptinMonster, TrustPulse, and PushEngage plugins. The attackers injected malicious code into JavaScript files served through the provider’s CDN. As a result, websites loading the affected scripts may have received modified code from the original source, without requiring malicious files to be stored directly on the website’s server.
Reports indicate that the malicious code was designed to execute when it detected a logged-in WordPress administrator. It then attempted to create a new administrator account, install a backdoor plugin hidden from the Dashboard, and send account and website information to the attackers’ command-and-control domain. The incident puts more than 1.2 million websites using the three plugins at risk and may have affected them.
Reports also indicate that the malicious code is no longer being served from the related CDN paths. However, WordPress website administrators using OptinMonster, TrustPulse, or PushEngage should inspect administrator accounts and unusual plugins, especially accounts or files created without authorization. They should also review connection logs, change important passwords and secrets, and closely monitor announcements from the plugin developers.