A stolen CDN API key enabled attackers to inject malicious JavaScript into plugins serving more than 1 million WordPress sites after hackers exploited an UpdraftPlus vulnerability on an Awesome Motive marketing server, according to security firm Sansec, which discovered the supply-chain attack over the June 14-15 weekend. Awesome Motive confirmed the breach affected OptinMonster, TrustPulse, and PushEngage plugins distributed through its content delivery network.
TL;DR: Attackers stole CDN credentials from a compromised Awesome Motive marketing server running UpdraftPlus, modified JavaScript files to create rogue WordPress admin accounts, and retained control even after malicious scripts were removed.
The attack targeted a non-production marketing server at Awesome Motive, the company behind multiple WordPress products. While the vulnerable server sat outside the production environment, it stored credentials for the company's CDN infrastructure. Hackers used the stolen API key to modify JavaScript files served through the CDN to sites running OptinMonster, TrustPulse, and PushEngage.
This is the second major compromise of Awesome Motive plugin infrastructure disclosed in 2026, underscoring persistent vulnerabilities in WordPress supply-chain dependencies even when vendors segment production and staging environments.
How the Supply-Chain Attack Worked
The malicious JavaScript activated only when a logged-in WordPress administrator visited an affected site, according to Sansec's disclosure. This conditional execution helped the malware evade detection while targeting high-privilege users exclusively.
The script harvested administrator authentication tokens and WordPress nonces from active admin sessions. Attackers then used the stolen credentials to create new administrator accounts on compromised sites. Sansec identified two naming patterns for the rogue accounts: "developer_api1" and variations prefixed with "dev_" followed by random characters.
After establishing administrative access, the attackers installed hidden backdoor plugins under the wp-content/plugins directory. These plugins enabled web shell functionality, arbitrary PHP code execution, and file management capabilities. The malware also established command-and-control infrastructure and began exfiltrating site data.
Why Removal of CDN Scripts Didn't Stop the Attack
Awesome Motive removed the malicious JavaScript from its CDN after discovery, but the remediation did not eliminate attacker access. The rogue administrator accounts and backdoor plugins persisted on already-compromised sites, giving hackers continued control independent of the original infection vector.
This persistence mechanism means site owners cannot rely on vendor-side fixes alone. Each affected site requires individual remediation to remove attacker-created accounts and hidden plugins.
Required Remediation Steps for Site Owners
WordPress site owners running OptinMonster, TrustPulse, or PushEngage should immediately audit administrator accounts for usernames matching "developer_api1" or the "dev_" prefix pattern. Any accounts matching these patterns that site owners did not create should be deleted immediately.
Site owners must also inspect the filesystem directly under wp-content/plugins for unfamiliar plugin directories. Hidden backdoor plugins may not appear in the WordPress admin dashboard plugin list. Server-side malware scans using tools like Wordfence CLI or Sucuri SiteCheck can detect filesystem-level changes.
After removing rogue accounts and backdoor plugins, site owners should rotate all administrative credentials. This includes admin user passwords, API keys for third-party services, database credentials, and WordPress security salts in wp-config.php. The security salt rotation forces re-authentication across all active sessions and invalidates stolen tokens.
Agencies managing client portfolios should reference white-label WordPress security baseline checklists to establish consistent audit protocols across all sites under management.
What This Means for Agency Owners
Agencies running OptinMonster, TrustPulse, or PushEngage on client sites face immediate audit obligations. Each site in the portfolio requires manual inspection for rogue admin accounts and backdoor plugins, automated plugin updates from Awesome Motive removed the infection vector but did not eliminate attacker persistence.
This supply-chain attack demonstrates why agencies cannot treat plugin vendors as security perimeters. Even vendors with separated production environments can expose CDN credentials through auxiliary infrastructure. Agencies should implement monitoring for unexpected administrator account creation and filesystem changes under wp-content as baseline signals that trigger security review, regardless of vendor trust level.
The attack also reinforces the revenue case for structured post-launch security monitoring. Clients paying monthly retainers expect proactive identification of compromise rather than reactive cleanup after data exfiltration. Agencies that documented rogue account removal and credential rotation as billable emergency response work likely converted one-time project clients into ongoing security subscribers.