Sansec disclosed that attackers compromised the content delivery network infrastructure of Awesome Motive — a WordPress plugin developer whose products serve tens of millions of WordPress sites globally — and injected malicious JavaScript that delivered a hidden backdoor to every site loading those plugins from the compromised CDN, following the same structural playbook as the 2024 Polyfill CDN compromise.
How the Awesome Motive CDN Compromise Reached WordPress Sites Across Three Plugins
Three Awesome Motive products were affected: OptinMonster, which has over one million active WordPress installations; TrustPulse; and PushEngage. WordPress plugins commonly load JavaScript components from CDN infrastructure for performance and centralized update distribution. When the CDN serving those files is compromised, every WordPress site that loads the affected plugin file receives the malicious version — without any modification to plugin files stored on those sites and without any action by the site owner.
The attack’s C2 domain was registered weeks before malicious code appeared in CDN-served files, indicating that preparatory infrastructure was completed well ahead of the CDN injection itself. Sansec’s research, disclosed on June 15, identified the injection start time and tracked the cleanup timeline across the three affected plugins.
PushEngage Distributed the Backdoor for Two Days While OptinMonster Was Cleaned in 25 Minutes
OptinMonster and TrustPulse were restored to clean CDN files 25 minutes after the malicious code first appeared in CDN-served files. PushEngage continued distributing the backdoor until June 14 — approximately two days after the injection began.
The gap between OptinMonster’s rapid cleanup and PushEngage’s extended distribution window means that PushEngage users faced a substantially longer exposure period. WordPress sites running PushEngage were loading malicious CDN-served code throughout that two-day window every time a visitor triggered a page load that included the plugin’s CDN file. OptinMonster’s one-million-installation footprint means that even the 25-minute window represents significant potential reach across the global WordPress ecosystem.
The “Content Delivery Helper” Backdoor: Unauthorized Admins, Web Shells, and Credential Theft
The malicious JavaScript delivered a hidden plugin to affected WordPress sites, disguised in the WordPress admin dashboard under the name “Content Delivery Helper” or “Database Optimizer” — labels designed to pass as legitimate system utilities during a routine admin plugin review. The backdoor executed three distinct functions: creating unauthorized administrator accounts on compromised sites, deploying web shells for arbitrary remote command execution, and exfiltrating site credentials.
The unauthorized administrator account creation is the persistence mechanism that makes CDN cleanup alone insufficient for full remediation. An attacker who installs a hidden admin account can return to a compromised site through normal administrator login indefinitely after the malicious CDN file is cleaned — the backdoor access survives the removal of the original infection vector. WordPress site administrators running any of the three affected plugins should audit their admin user lists for unfamiliar accounts and search for active plugins matching the “Content Delivery Helper” or “Database Optimizer” display names.
The 2024 Polyfill Attack Pattern Applied Against WordPress’s Plugin Ecosystem
The Polyfill CDN compromise of 2024 demonstrated that a single compromised CDN endpoint serving JavaScript to millions of websites could simultaneously distribute malware to every downstream site without any modification to the plugin or library source code stored at its origin, and without any action by those sites’ administrators. Sansec identified the Awesome Motive attack as following the same structural model.
CDN supply chain attacks are effective because site owners have no direct visibility into what is being served from third-party CDN endpoints at the moment of a page load. A site administrator who has trusted an established plugin vendor for years has no mechanism to detect that the vendor’s CDN has been compromised between the last known-clean state and a given visitor’s request. The combination of a widely deployed plugin ecosystem and centralized CDN distribution creates a single point of failure whose compromise scales immediately to the entire downstream installation base.
WordPress site administrators running OptinMonster, TrustPulse, or PushEngage should treat the period from the injection start through June 14 as a confirmed exposure window and audit for the indicators Sansec documented: unauthorized admin accounts and hidden plugins using the “Content Delivery Helper” or “Database Optimizer” display names.
