Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

Attackers tampered with JavaScript files for popular WordPress plugins PushEngage, OptinMonster, and TrustPulse, introducing hidden backdoors into websites. The malicious code was designed to execute when a site administrator was logged in and the compromised file loaded. Upon execution, the script created a new administrator account under the attacker's control and installed a hidden plugin to maintain persistent access. This attack vector specifically targeted logged-in administrators, meaning ordinary website visitors were not affected by the malicious code. The compromise was discovered by security researchers who observed the unauthorized modifications to the trusted plugin files. The extent of the compromise and the number of affected sites are still under investigation, but the use of widely adopted plugins suggests a potentially broad impact. WordPress administrators are advised to review their site's security, check for unauthorized admin accounts, and ensure their plugins are updated to the latest versions from official sources. The attackers leveraged the trust associated with these plugins to distribute their malicious payload, highlighting the ongoing risks of supply chain attacks in the software ecosystem.