OptinMonster WordPress Plugin Hacked in CDN Supply-Chain Attack
The OptinMonster WordPress plugin, used by over 1.2 million websites, was compromised in a supply-chain attack targeting Awesome Motive's content distribution network (CDN). The attack also affected two other WordPress plugins, TrustPulse and PushEngage.
E-commerce security firm Sansec discovered the attack over the weekend and found that malicious scripts were served to unsuspecting OptinMonster and TrustPulse users on Friday between 22:17 UTC and 22:42 UTC. PushEngage continued to serve malicious JavaScript code until 19:02 UTC on Saturday.
Malicious Scripts and Backdoor Plugin
The malware triggered only when a WordPress administrator visited a page on an infected website, collecting authentication tokens and nonces, and using them to create a rogue administrator account. The intruders then installed a self-hiding backdoor plugin and established a communication channel with a domain impersonating Tidio to send any newly captured data.
The plugin also provided full remote access capabilities, including a web shell ("WPM File Manager & Shell") and arbitrary PHP code execution, granting attackers full control of compromised websites. According to Sansec, "The operator rotates the plugin's disguise while keeping the logic byte-identical across renames."
Sansec observed the plugin shipping as "Content Delivery Helper" (content-delivery-helper, v2.7.1) and, currently, as "Database Optimizer" (database-optimizer, v2.9.4).
Awesome Motive's Response
Awsome Motive published a security advisory explaining that hackers gained access to a server in its environment after exploiting a known flaw in the UpdraftPlus WordPress plugin. This server hosted a marketing website and was not connected to the company’s production infrastructure or data systems; however, it hosted credentials for the company's CDN account, which the hackers stole.
Using the stolen CDN API key, the attackers modified JavaScript files distributed via Awesome Motive's CDN, causing websites to silently load malicious code directly from the CDN. The affected files are:
- a.omappapi.com/app/js/api.min.js – OptinMonster
- a.opmnstr.com/app/js/api.min.js – OptinMonster
- a.optnmstr.com/app/js/api.min.js – OptinMonster
- a.trstplse.com/app/js/api.min.js – TrustPulse
Awsome Motive reports that the malicious scripts were served for a short period on June 12 for OptinMonster and Trust Pulse, albeit not confirming the impact on PushEngage.
The company has since remediated the marketing site, migrated it to a new server, and rotated all credentials, including the CDN API key. Awesome Motive assured that its application servers, source code, and plugin hosting servers were not compromised.
Recommendations for Site Owners
Site owners who might have been affected are recommended to:
- Check for, and remove rogue admin accounts ‘developer_api1’ or ‘dev_xxxxxx’
- Inspect the filesystem directly under wp-content/plugins for hidden backdoor plugins
- Execute server-side malware scans
- Rotate administrator passwords, API keys, database credentials, and WordPress security salts
While the malicious content has been removed, the attacker continues to have access to compromised websites as long as the rogue administrator accounts and hidden backdoor plugins are still present.
Test every layer before attackers do. Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Source: BleepingComputer