Overview
- Sansec researchers found that tampered JavaScript served from Awesome Motive CDN endpoints reached OptinMonster, TrustPulse and PushEngage and first appeared on June 12 before being removed from some endpoints in the following days.
- The malicious code activated only for logged-in WordPress administrators, then created attacker-controlled admin accounts and installed a self-hiding plugin that provides a web shell and remote PHP execution.
- Stolen credentials and site metadata were encrypted and sent to a lookalike command-and-control domain, tidio.cc, which was registered on April 28 and used multiple delivery fallbacks to ensure exfiltration.
- PushEngage published an incident notice saying it replaced files, cleared CDN caches, rotated CDN keys and moved marketing infrastructure, while Sansec says the definitive entry point remains unresolved and questions PushEngage’s UpdraftPlus explanation.
- Site operators should assume compromise if an admin was logged in during the window, inspect wp-content/plugins on the server for hidden plugin folders, search logs for outbound traffic to tidio.cc or IP 84.201.6.54, and rotate all passwords and keys.