Researchers detected dozens of websites containing fake versions of the jQuery Migrate plugin with obfuscated code that delivers malware.
These malicious files, jquery-migrate.js and jquery-migrate.min.js, are loaded from the same locations as legitimate JavaScript files are normally present on WordPress websites.
jQuery Migrate is a popular WordPress plugin that has been downloaded over 7.2 million times.
Security researchers Denis Sinegubko and Adrian Stoian spotted counterfeit jQuery files this week, BeepingComputer reports.
The researchers noticed that malicious files replaced the original JavaScript files on the attackers’ websites at ./wp-includes/js/jquery/, the directory where WordPress keeps jQuery files.
Although the researchers haven’t described the full scale of this attack, they showed that over three dozen pages currently are infected with the malicious code.
The researchers also noticed that the script references “/wp-admin/user-new.php” which is used for creating new WordPress users. The code also accesses the _wpnonce_create-user variable with the purpose to obtain or set CSRF tokens which would allow the attackers to make forged requests on behalf of users, researchers say.
Ultimately, the script could allow attackers to conduct, for example, Magecart scams for credit card skimming or redirect users to fake surveys, tech support scams for scamming purposes.
Users may be directed to, be asked to subscribe to spam notification or download unwanted browser extensions.
In one instance, researchers saw that the checkme() function attempted to redirect the user’s browser window to a malicious URL, as also confirmed by BeepingComputer
BleepingComputer reported that some pages repeatedly prompted the user to “Allow” browser notifications “to verify they were not a robot.” IN other instances, the script opened fake surveys for illicitly harvesting user data.
At the time of writing, given low VirusTotal detection rates, the malicious analytics.js file and URL would not be picked up by over 90% of antivirus engines.
Researchers do not yet know how attackers inject these scripts or compromise WordPress websites.
