Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

An attacker tampered with trusted JavaScript files used by WordPress sites running PushEngage, OptinMonster, and TrustPulse, turning those files into a way to break into the sites. When a site administrator was logged in as the file loaded, the code created an admin account under the attacker's control and installed a hidden plugin that opened a way back in. Ordinary visitors did not trigger it

The article describes a supply chain-style compromise where trusted JavaScript assets for popular WordPress plugins (PushEngage, OptinMonster, TrustPulse) were tampered with to create hidden admin accounts and install backdoored plugins whenever a logged-in site administrator loaded the altered script. This allowed persistent, stealthy control over affected sites while remaining invisible to ordinary visitors. From a CyberSE.AI perspective, this reflects an AI supply chain pattern: third-party components that an organization implicitly trusts can be modified upstream to become covert control channels, analogous to poisoned model artifacts, SDKs, or front-end scripts used by AI agents. Organizations should implement rigorous SBOM-based dependency tracking, integrity verification (e.g., code signing checks), and least-privilege patterns for any web or AI agents that execute third-party scripts or libraries tied to administrative sessions.