216.73.217.80

OptinMonster supply chain attack hits 1.2 million sites

· Published 14/06/2026 16:55 · Modified 15/06/2026 17:15

Export JSON

Essential information

Published
14/06/2026 16:55
Modified
15/06/2026 17:15
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
awesome motive backdoor cdn compromise optinmonster pushengage supply-chain trustpulse wordpress
Tags
2026-06-14 awesome motive backdoor cdn compromise optinmonster pushengage supply-chain trustpulse wordpress
Related entities
10 indicators, 10 observables, 20 techniques (mitre)

Description

An active attack targeted over 1.2 million sites using , , and plugins operated by . Attackers injected malicious JavaScript into legitimate files served through 's CDN endpoints. The malware activates when a logged-in administrator accesses the site, creating admin accounts (developer_api1 and randomized dev_xxxxxx accounts) and installing a self-hiding PHP plugin. The provides unauthenticated code execution through a web shell and eval endpoint. Stolen credentials are exfiltrated to tidio.cc, a lookalike domain mimicking the legitimate tidio.com. The breach likely originated from compromised servers or their BunnyNet CDN account. The campaign began in late April 2026 and remained active through mid-June, affecting (over 1 million installations), , and users.

External references