Security researchers at Sansec have uncovered an active supply chain attack targeting the infrastructure of Awesome Motive, a dominant entity in the WordPress ecosystem. This campaign specifically impacts sites utilizing three popular plugins—OptinMonster, TrustPulse, and PushEngage.
Unlike traditional WordPress compromises where malicious code is injected into PHP files or themes, this attack resides upstream. The threat actors have compromised Awesome Motive's Content Delivery Network (CDN) assets, effectively weaponizing the trusted JavaScript delivered to millions of end-users. Because the payload is delivered server-side from a trusted source but executed client-side, this creates a blind spot for traditional file integrity monitoring (FIM) and server-side antivirus, necessitating a shift to network-based and client-side detection strategies.
Technical Analysis
- Affected Products: OptinMonster, TrustPulse, PushEngage (WordPress Plugins).
- Affected Platform: WordPress (Hosting Environment) / Client Browsers (Execution Environment).
- Attack Vector: Compromised CDN Infrastructure (Supply Chain).
- Status: Confirmed Active Exploitation.
The Attack Chain:
- Initial Compromise: Attackers gain access to Awesome Motive's CDN infrastructure.
- Payload Injection: Malicious JavaScript is injected into legitimate plugin asset files served via the CDN.
- Delivery: When a user visits a WordPress site running the affected plugin, the site loads the compromised JavaScript from the trusted Awesome Motive CDN domain.
- Execution: The malicious JS executes in the visitor's browser context.
Defensive Note: The critical distinction here is that no files on the victim's WordPress server are modified. The wp-content directory remains clean. The malicious script https://cdn.[vendor-domain].com/... is fetched by the client browser. This makes detection via server-side logs impossible; defenders must rely on proxy/egress logs or endpoint browser history to identify the compromise.
Detection & Response
Given the client-side nature of this delivery mechanism, detection requires visibility into egress web traffic. The following rules and queries target the retrieval of these specific plugin assets from the CDN.
Sigma Rules
---
title: Potential Awesome Motive CDN Compromise - OptinMonster/TrustPulse/PushEngage
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects potential loading of compromised JavaScript assets from Awesome Motive CDN associated with OptinMonster, TrustPulse, or PushEngage during active supply chain attack.
references:
- https://securityaffairs.com/193616/malware/supply-chain-attack-hits-popular-wordpress-plugins-through-awesome-motive-cdn.html
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.supply_chain
logsource:
category: web_access
product: proxy
detection:
selection:
cs-uri-query|contains:
- 'optinmonster'
- 'trustpulse'
- 'pushengage'
cs-host|contains:
- 'awsmotive.com'
- 'a.omappapi.com'
condition: selection
falsepositives:
- Legitimate updates or standard plugin functionality
level: high
---
title: Suspicious High-Volume Egress to WordPress Plugin CDN
id: 9b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Identifies unusual spikes in connections to known Awesome Motive endpoints, indicative of mass client-side script loading or potential beaconing.
author: Security Arsenal
date: 2026/04/06
tags:
- attack.command_and_control
logsource:
category: network_connection
product: windows
detection:
selection:\ DestinationHostname|endswith:
- 'awsmotive.com'
- 'omappapi.com'
filter:
DestinationPort: 443
timeframe: 5m
condition: selection | count() > 50
falsepositives:
- High-traffic WordPress sites with active marketing campaigns
level: medium
KQL (Microsoft Sentinel)
Hunts for egress proxy traffic hitting the specific plugin endpoints associated with the compromised CDN.
// Hunt for connections to Awesome Motive CDN serving OptinMonster, TrustPulse, or PushEngage
CommonSecurityLog
| where Direction == "Outbound"
| where DestinationHostName has "awsmotive.com" or DestinationHostName has "omappapi.com"
| where RequestURL has_any ("optinmonster", "trustpulse", "pushengage")
| project TimeGenerated, SourceIP, DestinationIP, DestinationHostName, RequestURL, DeviceAction
| summarize Count = count() by SourceIP, DestinationHostName, RequestURL
| order by Count desc
Velociraptor VQL
Endpoints (laptops/workstations) visiting compromised sites will fetch this script. This VQL artifact hunts Chrome and Edge history for connections to the specific CDN assets.
-- Hunt for Awesome Motive CDN plugin access in browser history
SELECT
strftime(timestamp="%Y-%m-%d %H:%M:%S", str=url.last_visit_time) as LastVisited,
url.url as URL,
url.title as PageTitle,
url.visit_count as VisitCount
FROM glob(globs=["/Users/*/AppData/Local/Google/Chrome/User Data/*/History",
"/Users/*/AppData/Local/Microsoft/Edge/User Data/*/History"])
WHERE url.url =~ "awsmotive"
AND (url.url =~ "optinmonster" OR url.url =~ "trustpulse" OR url.url =~ "pushengage")
Remediation Script (PowerShell)
Since the server files are not modified, server-side remediation focuses on identifying if the environment is running the vulnerable software so network blocks or updates can be prioritized.
# Audit WordPress installations for affected Awesome Motive plugins
# This script checks for the presence of OptinMonster, TrustPulse, or PushEngage
$LogPath = "C:\Temp\AwesomeMotiveAudit.txt"
$WebRoot = "C:\inetpub\wwwroot" # Adjust to your specific web root
Write-Output "Starting Audit for Awesome Motive Plugins..." | Out-File -FilePath $LogPath
$AffectedPlugins = @("optinmonster", "trustpulse", "pushengage")
if (Test-Path $WebRoot) {
Get-ChildItem -Path $WebRoot -Recurse -Directory -Filter "wp-content" | ForEach-Object {
$PluginsPath = Join-Path -Path $_.FullName -ChildPath "plugins"
if (Test-Path $PluginsPath) {
foreach ($Plugin in $AffectedPlugins) {
$PluginPath = Join-Path -Path $PluginsPath -ChildPath $Plugin
if (Test-Path $PluginPath) {
$Message = "[WARNING] Detected potentially affected plugin: $($Plugin) at $($PluginPath)"
Write-Output $Message | Out-File -FilePath $LogPath -Append
Write-Host $Message -ForegroundColor Red
}
}
}
}
} else {
Write-Output "Web Root not found at $WebRoot" | Out-File -FilePath $LogPath -Append
}
Write-Output "Audit Complete. Review $LogPath" | Out-File -FilePath $LogPath -Append
Remediation
- Update Plugins Immediately: Check the Awesome Motive vendor dashboard for the latest patched versions of OptinMonster, TrustPulse, and PushEngage. Updates typically involve rotating the CDN endpoint or validating asset hashes.
- Verify Patching: Simply updating the plugin may not clear the browser cache of your visitors. Ensure the plugin update specifically references the CDN fix or security update.
- Network Blocking (Temporary): If immediate patching is not feasible, consider blocking outbound connections to the specific Awesome Motive CDN domains (
*.awsmotive.com,*.omappapi.com) at the perimeter firewall. Note: This will break the functionality of the plugins until they are updated and verified. - Client Education: Inform internal staff that if they visited your corporate WordPress sites recently, they may have been exposed to the malicious JavaScript. Run endpoint detection and response (EDR) scans on internal workstations.
- Vendor Communication: Review the official security advisory from Awesome Motive for specific IOCs (hashes of the malicious JS) to add to your blocklists.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.