What's Happening?
Attackers have compromised several popular WordPress plugins, including OptinMonster, TrustPulse, and PushEngage, to install hidden backdoors and rogue administrator accounts on approximately 1.2 million websites. This supply-chain attack was detailed
by the Dutch malware research firm Sansec. The malicious code was introduced through Awesome Motive's delivery network, affecting any site loading the scripts. The attack remains dormant until a logged-in administrator accesses a page, at which point it creates a new administrator account and installs a self-hiding backdoor plugin. The compromised credentials are then sent to a lookalike of the legitimate chat service tidio.com. The attack is reminiscent of the 2024 Polyfill attack, which similarly affected thousands of sites by poisoning a single upstream file. The exact entry point for the attackers remains unclear, but possibilities include Awesome Motive's servers, its CDN account, or the BunnyNet network.
Why It's Important?
This attack highlights significant vulnerabilities in the supply chain of WordPress plugins, which are widely used across millions of websites. The ability to install backdoors and create rogue administrator accounts poses a severe security risk, potentially leading to unauthorized access and data breaches. The attack's scale, affecting 1.2 million sites, underscores the importance of robust security measures and monitoring for website administrators. The incident also raises concerns about the security practices of plugin vendors and the need for improved oversight and response strategies to prevent similar attacks in the future. Website owners using Awesome Motive plugins are particularly at risk and must remain vigilant for signs of compromise.
What's Next?
Website administrators using Awesome Motive plugins are advised to monitor for unfamiliar administrator accounts and unusual traffic patterns, particularly to tidio[.]cc. Immediate action is recommended if any signs of compromise are detected. Awesome Motive is expected to investigate the breach and implement measures to prevent future attacks. The broader WordPress community may also push for enhanced security protocols and more rigorous vetting of plugins to protect against supply-chain attacks. As the situation develops, further updates from security firms and affected vendors will be crucial in understanding the full impact and preventing recurrence.
