A supply chain attack has compromised popular WordPress plugins through Awesome Motive’s CDN, injecting malicious JavaScript into OptinMonster, TrustPulse and PushEngage and affecting over 1.2 million sites.
The malicious code lies dormant until it detects a logged‑in WordPress administrator, at which point it creates a rogue administrator account and installs a backdoor plugin to maintain persistent access.
No CVE identifiers have been assigned to the vulnerability, and the altered JavaScript was only served for about half an hour before the tampered files were replaced, mirroring the short‑lived nature of the 2024 Polyfill library incident.
Researchers at Sansec first observed the tampered files on 15 June 2026, noting that the attack resembled earlier supply‑chain intrusions that abused trusted CDNs to push malicious updates.
Awesome Motive has not issued a public statement about the incident, leaving users to rely on the indicators of compromise released by Sansec, which include unexpected administrator accounts and unfamiliar plugin files in the wp‑content directory.
Administrators should immediately audit their WordPress user lists for any unauthorised accounts, remove any suspicious plugins, reinstall clean versions of OptinMonster, TrustPulse and PushEngage from the official repository, force password resets for all privileged users and monitor site logs for unexpected external JavaScript loads.