Supply chain attack via manipulated CDN conceals admin accounts and web shells on over 1.2 million WordPress websites; infections are not detectable through the standard dashboard.