If your WordPress site runs OptinMonster, TrustPulse or PushEngage, it may have been backdoored this week. Sansec’s investigation found an OptinMonster backdoor that silently created administrator accounts and installed a hidden web shell on over 1.2 million sites. The malicious code was injected not into the plugins themselves but into the CDN-served JavaScript files those plugins load. The compromise happened at Awesome Motive’s infrastructure, not yours.
Table of Contents
How the OptinMonster Backdoor Got In
Attackers inserted malicious JavaScript into files served from Awesome Motive’s content delivery network. OptinMonster has over one million active WordPress installations, with TrustPulse and PushEngage adding to that total. Any site loading those CDN scripts was exposed from the moment the attack began on 12 June 2026.
The malware is patient. It waits for a WordPress administrator to load a page, then locates the WordPress root directory, harvests authentication tokens, creates hidden admin accounts, and installs a backdoor plugin. That plugin hides itself from the WordPress admin panel and from the REST API used by security tools.
The planted plugin exposes a web shell (accessible without authentication) and a code execution endpoint. Stolen credentials are sent, XOR-encrypted, to a lookalike domain: tidio.cc rather than the legitimate tidio.com. That domain was registered on 28 April, nearly seven weeks before the attack launched.
The OptinMonster backdoor and TrustPulse CDN files were cleaned on the evening of 12 June. PushEngage kept serving the malicious version until 14 June, a 40-hour window of exposure.
What to Check on Your Site Right Now
Work through this in order. Each step matters, and stopping early gives attackers a foothold they can use later.
Users: Go to your WordPress admin panel under Users > All Users. Look for an account named developer_api1 with the email customer1usx@gmail.com. Also look for any Administrator-level accounts beginning with dev_ followed by random characters. Delete any you find and did not create yourself.
Plugins: The backdoor plugin hides from the WordPress admin panel, so you cannot rely on the plugin list. Use your hosting control panel’s file manager or SSH to search the wp-content/plugins/ directory directly for folders named content-delivery-helper or database-optimizer. These are not legitimate plugins. Remove them if present.
Passwords and secrets: Rotate all WordPress admin passwords, your database password, and any API keys stored in wp-config.php. If the backdoor plugin was present, assume the attacker ran arbitrary commands on your server. That scope goes beyond WordPress. Check for new or modified files in your document root, unexpected cron jobs, and additional PHP web shells.
Third-party scripts: WPForms, MonsterInsights and All in One SEO (other Awesome Motive products) were not found to be affected. They are worth monitoring, but no immediate action is needed unless the steps above uncover something.
Why CDN Supply Chain Attacks Are Hard to Defend Against
Your server and your WordPress installation were not directly breached. The attacker got into Awesome Motive’s systems (or their CDN account) and then used your site’s own trust in that vendor to run code in your administrators’ browsers.
Standard defences do not catch this. A web application firewall inspects requests to your server. It cannot see the JavaScript your browser fetches from a.omappapi.com. Vulnerability scanners check your installed software versions. They do not audit the runtime behaviour of third-party CDN scripts. Even a perfectly patched WordPress site would have been exposed if it was loading OptinMonster on 12 June.
This is not unique to WordPress or Awesome Motive. It is the same attack methodology used against Polyfill.io in 2024, when a legitimate CDN was bought and its files replaced with malicious versions serving millions of sites. The same concept sits behind npm supply chain attacks that have hit developer ecosystems repeatedly. The pattern works because the web relies on implicit trust in external resources. Most organisations have no way to detect when that trust is abused.
What This Means for Your Security Posture
After you have remediated the immediate issue, two longer-term actions are worth taking. First, audit which third-party JavaScript your site loads and from which domains. A content security policy can restrict what scripts run in users’ browsers and flag new sources when they appear. Second, configure monitoring for unexpected WordPress admin account creation and new plugin installations. Both are reliable signals of compromise that would have caught this attack after the fact, even if not before.
For businesses where the WordPress site handles enquiries, payments or customer data, this incident is a reminder that supply chain risk is not an abstract concern. The OptinMonster backdoor reached 1.2 million sites through plugins most owners considered routine and low-risk.
