惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
爱范儿
爱范儿
人人都是产品经理
人人都是产品经理
博客园 - 司徒正美
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位
罗磊的独立博客
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
小众软件
小众软件
C
Cybersecurity and Infrastructure Security Agency CISA
Cyberwarzone
Cyberwarzone
大猫的无限游戏
大猫的无限游戏
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
博客园 - 三生石上(FineUI控件)
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园_首页
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
T
The Exploit Database - CXSecurity.com
T
Tailwind CSS Blog
IT之家
IT之家
博客园 - 聂微东
Spread Privacy
Spread Privacy
V2EX - 技术
V2EX - 技术
S
Security Affairs
宝玉的分享
宝玉的分享
V
V2EX
C
Cisco Blogs
博客园 - Franky
美团技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
S
Securelist
J
Java Code Geeks
Webroot Blog
Webroot Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Proofpoint News Feed
Last Week in AI
Last Week in AI
L
LINUX DO - 热门话题
NISL@THU
NISL@THU
WordPress大学
WordPress大学
W
WeLiveSecurity
T
Threatpost
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
腾讯CDC
阮一峰的网络日志
阮一峰的网络日志

Security Affairs

Carding service Jerry’s Store leak exposes 345,000 stolen payment cards Anthropic launches Claude Security to counter rapid AI-Powered exploits SonicWall patches three SonicOS flaws in Gen 6, 7 and 8 firewalls. Patch them now Copy Fail: New Linux bug enables Root via page‑cache corruption Agent’s claims on WhatsApp access spark security concerns Meta accused of violating DSA by failing to safeguard minors Large-scale Roblox hacking operation shut down by Ukrainian authorities CVE-2026-42208: LiteLLM bug exploited 36 hours after its disclosure Internet censorship index reveals Russia’s lead and widespread content blocking All supported cPanel versions hit by critical auth bug, now patched U.S. CISA adds Microsoft Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities catalog ShinyHunters exploit Anodot incident to target Vimeo CVE-2026-3854 GitHub flaw enables remote code execution Signal Phishing Campaign Targets German Officials in Suspected Russian Operation Microsoft fixes Entra ID flaw enabling privilege escalation New Android spyware Morpheus linked to Italian surveillance firm NCSC launches SilentGlass, a plug-in device to secure HDMI and DisplayPort links Medtronic discloses security incident after ShinyHunters claimed theft of 9M+ records Chinese spy posed as researcher in spear-phishing campaign targeting NASA to steal defense software LINKEDIN BROWSERGATE Firefox bug CVE-2026-6770 enabled cross-site tracking and Tor fingerprinting Fast16: Pre-Stuxnet malware that targeted precision engineering software Italy moves to extradite Chinese national to the U.S. over hacking charges U.S. utility giant Itron discloses a security breach Critical bug in CrowdStrike LogScale let attackers access files GopherWhisper: new China-linked APT targets Mongolia with Go-based malware SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 94 Trigona ransomware adopts custom tool to steal data and evade detection Security Affairs newsletter Round 574 by Pierluigi Paganini – INTERNATIONAL EDITION U.S. CISA adds SimpleHelp, Samsung, and D-Link flaws to its Known Exploited Vulnerabilities catalog Over 400,000 sites at risk as hackers exploit Breeze Cache plugin flaw (CVE-2026-3844) CISA reports persistent FIRESTARTER backdoor on Cisco ASA device in federal network 12-year-old Pack2TheRoot bug lets Linux users gain root privileges Signal phishing campaign targets Germany’s Bundestag President Julia Klöckner China-linked threat actors use consumer device botnets to evade detection, warn UK and partners Luxury cosmetics giant Rituals discloses data breach impacting member personal details iOS Flaw Let Deleted Notifications Linger, Apple Issues Fix RAMP Uncovered: Anatomy of Russia’s Ransomware Marketplace U.S. CISA adds a flaw in Microsoft Defender to its Known Exploited Vulnerabilities catalog Microsoft Graph API misused by new GoGra Linux malware for hidden communication DDoS wave continues as Mastodon hit after Bluesky incident Mirai Botnet exploits CVE-2025-29635 to target legacy D-Link routers Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw Critical BRIDGE:BREAK flaws impact Lantronix and Silex Technology converters Venezuela energy sector targeted by highly destructive Lotus wiper Ransomware negotiator caught secretly assisting BlackCat extortion scheme North Korea’s Lazarus APT stole $290M from Kelp DAO The US NSA is using Anthropic’s Claude Mythos despite supply chain risk U.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog Bluesky hit by 24-hour DDoS attack as pro-Iran group claims responsibility France’s ANTS ID System website hit by cyberattack, possible data breach Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft CVE-2023-33538 under attack for a year, but exploitation still unsuccessful Third-party AI hack triggers Vercel breach, internal environments accessed AI Model Claude Opus turns bugs into exploits for just $2,283 Cyber attacks fuel surge in cargo theft across logistics industry SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 93 Security Affairs newsletter Round 573 by Pierluigi Paganini – INTERNATIONAL EDITION Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware Nexcorium Mirai variant exploits TBK DVR flaw to launch DDoS attacks Microsoft Defender under attack as three zero-days, two of them still unpatched, enable elevated access Kyrgyzstan-based crypto exchange Grinex shuts down after $13.7M cyber heist, blames Western Intelligence DraftKings hacker sentenced to prison, ordered to pay $1.4 Million Operation PowerOFF: 53 DDoS domains seized and 3 Million criminal accounts uncovered Inside ZionSiphon: politically driven malware aims at Israeli water systems U.S. CISA adds a flaw in Apache ActiveMQ to its Known Exploited Vulnerabilities catalog Cisco fixed four critical flaws in Identity Services and Webex Cookeville Regional Medical Center hospital data breach impacts 337,917 people AI platform n8n abused for stealthy phishing and malware delivery From clinics to government: UAC-0247 expands cyber campaign across Ukraine Sweden reports cyberattack attempt on heating plant amid rising energy threats CVE-2026-33032: severe nginx-ui bug grants unauthenticated server access U.S. CISA adds Microsoft SharePoint Server, and Microsoft Office Excel flaws to its Known Exploited Vulnerabilities catalog Mirax malware campaign hits 220K accounts, enables full remote control PHP Composer flaws enable remote command execution via Perforce VCS Microsoft Patch Tuesday for April 2026 fixed actively exploited SharePoint zero-day Personal data of 1 million gym members compromised in Basic-Fit security incident US, UK and Canada disrupt $45M crypto theft in Operation Atlantic ShinyHunters claim the hack of Rockstar Games breach and started leaking data Attackers target unpatched ShowDoc servers via CVE-2025-0520 U.S. CISA adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog Citizen Lab: Webloc tracked 500M devices for global law enforcement Iran-linked group Handala claims to have breached three major UAE organizations Adobe fixes actively exploited Acrobat Reader flaw CVE-2026-34621 Hackers claim control over Venice San Marco anti-flood pumps SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 92 Security Affairs newsletter Round 572 by Pierluigi Paganini – INTERNATIONAL EDITION Censys finds 5,219 devices exposed to attacks by Iranian APTs, majority in U.S. GlassWorm evolves with Zig dropper to infect multiple developer tools CVE-2026-39987: Marimo RCE exploited in hours after disclosure Ransomware attack on ChipSoft knocks EHR services offline across hospitals in the Netherlands and Belgium UAT-10362 linked to LucidRook attacks targeting Taiwan-based institutions EngageLab SDK flaw opens door to private data on 50M Android devices Bitcoin Depot hack leads to $3.6M Bitcoin theft via stolen credentials Eurail data breach impacted 308,777 people Malicious PDF reveals active Adobe Reader zero-day in the wild Masjesu botnet targets IoT devices while evading high-profile networks The alleged breach of China’s National Supercomputing Center can have serious geopolitical consequences Internet-Exposed ICS Devices Raise Alarm for Critical Sectors U.S. CISA adds a flaw in Ivanti EPMM to its Known Exploited Vulnerabilities catalog
Attackers compromised Awesome Motive CDN files, backdooring WordPress sites running OptinMonster, TrustPulse, and PushEngage
https://www.facebook.com/sec.affairs · 2026-06-15 · via Security Affairs

Attackers compromised Awesome Motive CDN files, backdooring WordPress sites running OptinMonster, TrustPulse, and PushEngage.

Sansec researchers discovered an active supply chain attack hitting WordPress sites running OptinMonster, TrustPulse, and PushEngage, three plugins operated by Awesome Motive, one of the largest WordPress plugin companies in the world.

The malicious JavaScript wasn’t sitting on any victim’s server. It was injected into files served directly from Awesome Motive’s own CDN endpoints, meaning every site that loaded those scripts pulled the tampered version straight from the source, with no warning and no way to discover the attack.

“Attackers added malicious JavaScript to the legitimate files served by Awesome Motive, which are embedded in their customer’s sites.” reads the report published by Sansec.

The attack follows the exact same pattern as the Polyfill supply chain attack that Sansec uncovered in 2024.

“The malicious code did not live on any victim’s own server but was injected via Awesome Motive’s CDN endpoints.” continues the report. “This resembles the Polyfill supply chain attack that Sansec discovered in 2024: tamper with a single upstream file, and the malware reaches thousands of downstream sites without ever touching them individually.”

OptinMonster alone has over a million active WordPress installations. Add TrustPulse and PushEngage and the exposure surface becomes very large very fast.

According to the researchers, the injected code is carefully written to avoid detection. It exits immediately if it detects a headless browser, a web driver, or a zero-size window. It only proceeds if it finds a logged-in WordPress administrator, checking for wp-admin paths, the admin toolbar, or the wordpress_logged_in_ cookie. A 24-hour throttle stored in localStorage prevents it from firing repeatedly during the same session.

Once it confirms it’s looking at a real admin, it gets to work. It locates the WordPress installation root, fingerprints the version, and harvests authentication tokens from multiple sources, including the REST API settings and the admin AJAX endpoint. Then it creates a backdoor administrator account using four separate fallback methods in sequence: the user registration form, admin-ajax.php, the REST API users endpoint, and finally a hidden iframe form submission.

It even recognizes “user already exists” error messages in roughly twenty languages. The fixed account it plants is developer_api1 with the email [email protected], alongside randomized dev_xxxxxx accounts for variety.

All the stolen data, credentials, site address, admin path, and WordPress version, gets scrambled with a simple encryption key, converted to text, and quietly sent to tidio.cc. That domain was registered on April 28 specifically to look like tidio.com, the real chat platform most people wouldn’t think twice about seeing in network traffic.

“The new admin user:password, site origin, logout URL, admin path, method, timing and WordPress version are XOR-encrypted (key jX9kM2nP4qR6sT8v), base64-encoded, and sent to tidio.cc/cdn-cgi/*.” states the report. “Delivery falls back through sendBeacon, then fetch (no-cors), then XHR, then an Image().src beacon.”

Four separate delivery mechanisms in sequence, because the attacker didn’t want a single failed network request to stop the exfiltration.

The backdoor plugin that gets silently installed is the part that should make any WordPress administrator nervous. It hides itself from the plugin list on the admin dashboard, from the REST API plugins endpoint, from update checks, and from the recently active list. It exposes two unauthenticated entry points: one opens a web shell called “WPM File Manager & Shell” that runs arbitrary system commands and accepts file uploads, the other runs arbitrary PHP code via eval.

“The plugin that gets installed is built to disappear. It hides itself from the user list, the plugin list (both the admin screen and the REST /wp/v2/plugins endpoint), update checks, and the “recently active” list.” warns Sansec. “The operator rotates the plugin’s disguise while keeping the logic byte-identical across renames. We have observed it shipping as ‘Content Delivery Helper’ (content-delivery-helper, v2.7.1) and, currently, as ‘Database Optimizer’ (database-optimizer, v2.9.4).”

The plugin ZIP is generated fresh on each request, so file hashes change constantly while the functionality stays identical.

The timeline is tight. The C2 domain tidio.cc was registered April 28. The first verified malicious code appeared in OptinMonster and TrustPulse CDN files at 22:17 UTC on June 12. By 22:42 those two were clean. PushEngage kept serving the injected code until June 14. The C2 server remained live and generating fresh payloads throughout.

Awesome Motive’s broader portfolio includes WPForms with over six million active installs, MonsterInsights with around two million, and All in One SEO with around three million. Only OptinMonster, TrustPulse, and PushEngage have confirmed compromised code so far, but anyone running any Awesome Motive plugin should treat this as an active incident until the company provides a full account of what happened. Sansec reached out to Awesome Motive and received no response.

If you had any of the affected plugins installed and an admin was logged in during the injection window, the damage is already done. Check your user list for developer_api1 and any dev_xxxxxx accounts and remove them. Then check the filesystem under wp-content/plugins directly, not the admin dashboard, for content-delivery-helper or database-optimizer directories. The plugin actively hides from the UI, so the dashboard will lie to you.

The WordPress cybersecurity firm also provided indicators of compromise (IoCs) for this campaign.

“If you find any indicators of compromise: rotate every admin password and secret, and assume the attacker has had unauthenticated code execution.” concludes the report. “Because the payload only ever ran for logged-in admins, server-side scanning is one of the most reliable ways to catch it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Supply Chain Attack)