- Over 3,500 websites worldwide have been secretly compromised to run JavaScript cryptocurrency mining code.
- The malicious mining scripts use obfuscated JavaScript and Web Workers to perform background mining without alerting users or security software.
- Attackers utilize WebSockets to fetch and manage mining tasks dynamically, keeping resource usage low for stealth operations.
- The domain used for the miner has also been linked to Magecart credit card skimming, suggesting attackers are diversifying their methods.
- Recent incidents include other website attacks, like redirect Malware and supply chain threats through WordPress plugins and themes.
A new cyberattack campaign has secretly infected more than 3,500 websites around the world with JavaScript code designed to mine cryptocurrency in users’ web browsers. The attacks were identified by researchers at c/side, who found that the compromised sites run a stealth mining operation, draining device resources without the user’s knowledge.
Researchers found that the mining code is hidden in scrambled JavaScript, which checks a device’s computing power and then launches background mining workers. These scripts make use of WebSockets to connect to an external server, enabling the attacker to adjust mining load based on the victim’s hardware. This method allows the mining process to go undetected by both users and many security tools.
Security researcher Himanshu Anand said, “This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools.” The investigations also revealed that the same domain responsible for the JavaScript miner has previously been involved in attacks to steal credit card details through Magecart skimming.
Attackers are seen expanding their efforts beyond mining by combining techniques. These include using domains linked to both cryptocurrency mining and deployment of credit card-stealing scripts on shopping websites. According to c/side, “Attackers now prioritize stealth over brute-force resource theft, using obfuscation, WebSockets, and infrastructure reuse to stay hidden.”
Other web-based attacks were also noted recently. Some Hackers have abused the callback feature in a legitimate Google OAuth endpoint (accounts.google.com/o/oauth2/revoke) to load malicious JavaScript and set up unauthorized connections. There have been cases of direct malware injection into WordPress databases using Google Tag Manager scripts, redirecting visitors to spam domains.
Additional incidents include hackers compromising WordPress files and themes, leading to unwanted browser redirects or injecting search engine spam. Attackers have even distributed backdoored versions of the Gravity Forms plugin, allowing them to take control of affected sites, as detailed in a recent security statement from the plugin’s developers.
These findings come alongside ongoing e-commerce skimming campaigns and highlight an evolving landscape of stealthy, profit-driven cyberattacks targeting both cryptocurrency and payment information.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Consensys to Release Urgent MetaMask Fix for SSD Overwrite Bug
- Netflix Uses Generative AI for VFX in Argentinian Series “The Eternaut”
- U.S. Bank Completes First Fully Blockchain-Based Trade Finance Deal
- Strategy Nears New Bitcoin Buy as Holdings Top $71B, Stock Soars
- Radix Considers Delaying 1B XRD Rewards Launch for Hyperlane
