WordPress site owners running OptinMonster, TrustPulse, or PushEngage should audit their admin accounts and file system immediately. According to a security advisory published by e-commerce security firm Sansec — and independently corroborated by BleepingComputer and a widely shared r/WordPress thread — attackers tampered with JavaScript files served via Awesome Motive’s content distribution network, causing sites to silently load malicious code directly from the CDN. Awesome Motive has since published a security advisory confirming the breach.

The malicious script targeted logged-in administrators: when a site owner visited any page on an infected site while authenticated, the code harvested authentication tokens and nonces, then silently created a rogue administrator account. It also installed a self-hiding backdoor plugin — observed shipping under the disguise names “Content Delivery Helper” and “Database Optimizer” — and exfiltrated captured credentials to a command-and-control domain impersonating the legitimate Tidio service. Sansec reports the attack reached over 1.2 million sites that use these plugins, representing the full pool of potentially exposed installations; confirmed compromised site counts are lower and still being assessed. No connection to the ClearFake campaign has been established in any official advisory related to this incident.

A heavy steel padlock sits unlatched on a white surface next to small keys, one bent, as a hand reaches toward it.

OptinMonster CDN Supply-Chain Attack Hits 1.2M WordPress

Users in the r/WordPress thread report that Wordfence‘s free tier did not flag the intrusion on their sites, though this has not been confirmed by Defiant, the company behind the plugin. All three plugins are published by Awesome Motive, which also develops MonsterInsights — a separate Google Analytics plugin with around 2 million active installs. Sansec notes that while only the three affected plugins have been confirmed compromised, any site running an Awesome Motive plugin should remain alert as the company responds. Key areas to check on any potentially affected site include:

Rogue administrator accounts
Look for accounts named developer_api1 (email: [email protected]) and any unexpected dev_xxxxxx accounts. Remove them immediately.
Hidden backdoor plugins
Search the filesystem under /wp-content/plugins/ directly — not just the WordPress admin screen — for folders named content-delivery-helper or database-optimizer. The backdoor actively hides itself from the plugin dashboard, so the disk may reveal what the UI does not.
Theme and root files
Random PHP files placed outside the plugins folder — including in theme directories or the WordPress root — are a common persistence method used by attackers.

The attack vector was a stolen CDN API key. Awesome Motive reports that an attacker exploited a known vulnerability in the UpdraftPlus WordPress plugin on an internal marketing server, found CDN credentials stored there, and used them to modify the JavaScript SDK files distributed to customers. The company states that its application servers, source code, and plugin hosting servers were not compromised, and that no account data or personal details were accessed. Malicious scripts were active on the OptinMonster and TrustPulse CDN endpoints from approximately 22:17 UTC on 12 June 2026, with PushEngage continuing to serve the injected code until 14 June 2026.

For affected sites, Awesome Motive and Sansec both recommend removing rogue admin accounts, scanning the /wp-content/plugins/ filesystem directly for hidden backdoor plugins, running a server-side malware scan, and rotating all administrator passwords, API keys, database credentials, and WordPress security salts. The malicious CDN content has been removed, but attackers retain access to any site where rogue accounts or backdoor plugins have not yet been cleaned up.