Researchers Denis Sinegubko and Adrian Stoyan have found fake versions of jQuery files on dozens of sites that mimic the jQuery Migrate plugin for WordPress, running on 7.2 million sites. Such forgeries contain obfuscated code to download malware, and it is not yet clear how these scripts end up on the pages of compromised resources.
We lately see many websites with replaced ./wp-includes/js/jquery/jquery-migrate.min.js
It loads malware from hxxps://stick.travelinskydream[.]ga/analytics.js pic.twitter.com/3W7nSoCsLm
— Denis (@unmaskparasites) March 30, 2021
To make detection more difficult, these malicious files replace legitimate files at ./wp-includes/js/jquery/, where WordPress usually stores jQuery files. For example, the jquery-migrate.js and jquery-migrate.min.js files contain obfuscated code that additionally loads a strange analytics.js file with malware inside.
Although the full scope of this problem has not been determined, Sinegubko shared search querywhich helps to detect more than three dozen pages infected with this “analytical script”.
Edition Bleeping Computer writes that in fact this script, of course, has nothing to do with analytics. For example, the code contains links to / wp-admin / user-new.php: the WordPress admin page for creating new users. Moreover, the code accesses the _wpnonce_create-user variable, which WordPress uses to provide CSRF protection.
Also, the “analytical script” can direct visitors to pages with fake polls, sites of fake technical support, forcing them to subscribe to spam or download dangerous browser extensions.
In the examples that Bleeping Computer researchers found, malicious pages prompted the user to allow notifications, ostensibly to make sure they weren’t a robot, or led to pages with fake polls aimed at collecting user data.