Awesome Motive CDN supply-chain attack — OptinMonster/TrustPulse/PushEngage scripts tampered on ~1.2M WordPress sites; rogue admins + hidden backdoor plugin (via CVE-2026-10795)

Sansec Forensics found malicious JavaScript appended to the CDN-served api.min.js files shared by three Awesome Motive WordPress plugins — OptinMonster (1.2M+ installs), TrustPulse and PushEngage — injected on 12 June and served from CDN edges into 13 June (Sansec, 2026-06-13). The vendor confirmed the entry point was exploitation of an UpdraftPlus vulnerability on its own marketing server, which leaked the BunnyNet CDN API key used to tamper the scripts (OptinMonster, 2026-06-14). Because the tampering was at the CDN layer and not in the WordPress.org repository, "update your plugins" gave false assurance for the exposure window. The payload waited for a logged-in administrator, then created a hidden admin account and installed a self-hiding backdoor plugin masquerading as "Content Delivery Helper" or "Database Optimizer", concealed from the plugin list, update checks and API responses, beaconing harvested credentials to a tidio.cc lookalike domain (Patchstack, 2026-06-15). Mapped to T1195.002, T1136.001 (create account) and T1027.005 (indicator removal).

Defender takeaway: any site running these three plugins with an admin logged in during 12–13 June UTC should be treated as potentially backdoored. Audit for unexpected admin accounts, compare the active-plugin list in the database against the filesystem to surface hidden plugins, and pin externally-loaded CDN scripts to Subresource Integrity hashes.