Supply chain attack targets WordPress sites via compromised CDN
A sophisticated supply chain attack has quietly infiltrated thousands of WordPress sites by compromising files served through a widely trusted content delivery network. Security researchers at Sansec uncovered malicious JavaScript injected into the CDN endpoints of Awesome Motive, the parent company behind popular WordPress plugins including OptinMonster, TrustPulse, and PushEngage. The attack bypassed traditional defenses by embedding the malware directly into scripts delivered from Awesome Motive’s own infrastructure, meaning every site loading those files unknowingly pulled the compromised version.
A stealthy, targeted compromise
The injected code is designed to evade detection and remain dormant under suspicious conditions. It checks for automated tools like headless browsers or web drivers, and only activates when a logged-in WordPress administrator is detected—using cues such as wp-admin paths or the presence of the wordpress_logged_in_ cookie. Once triggered, it performs reconnaissance, harvesting authentication tokens and identifying the WordPress version. It then attempts to create a backdoor administrator account using multiple fallback methods, including standard user registration, the REST API, and even hidden iframes, while adapting to language-specific error messages.
Data exfiltration through layered channels
After establishing persistence, the malware exfiltrates sensitive site data—including admin credentials, site path, and WordPress version—using a combination of encryption and encoding. The stolen information is sent to a lookalike domain, tidio.cc, registered just days before the campaign began. To ensure delivery even if one method fails, the attacker employed four separate network transmission techniques: sendBeacon, fetch (with no-cors), XHR, and even an Image().src beacon. The encryption key used in the process is simple, yet effective enough to obscure the data in transit.
While no official response has been issued by Awesome Motive at the time of writing, users of affected plugins are advised to update their installations and review their sites for unauthorized admin accounts. This incident underscores the growing risk of supply chain attacks targeting widely used third-party infrastructure in the WordPress ecosystem.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.