Over 3500 websites have been silently compromised in a new browser-based cryptojacking operation. Researchers at c/side discovered hidden JavaScript that assesses a user’s system power and silently launches background Web Workers to mine cryptocurrency. These scripts use WebSockets to receive mining tasks from an external server, adjusting intensity based on the device to avoid detection.
While users continue browsing without noticing anything unusual, the miner operates silently in the background. It’s designed in a way that keeps it hidden from both people and security tools. How the attackers originally managed to break into the websites is still unclear. However, the server delivering the mining code has been tied to previous Magecart activity, which focused on stealing card data. This points to a broader strategy where the same group is blending different methods, like skimming and cryptojacking, to squeeze more value from each compromise.
In parallel, Magecart actors are targeting East Asian online stores built with OpenCart content management system (CMS). They insert fake payment forms at checkout that collect and send users’ bank details to attacker servers.
Researchers have also come across a mix of lesser-known attacks targeting websites. One tactic involves redirecting users through a legitimate Google OAuth link, which quietly loads a hidden script. That script then opens a connection in the background to a server controlled by the attackers. In another case, hackers place code inside WordPress settings and content fields, using Google Tag Manager to quietly send visitors off to sketchy websites. Some intrusions go deeper, changing how the site is set up by editing core files.
This lets them run custom code that fills search results with junk links to boost their own sites. There are also cases where theme files are altered to push unwanted redirects during browsing. One clever trick even uses a fake plugin named after the site itself. It stays dormant most of the time, only kicking in when search bots are watching, to serve up pages full of spam that manipulate search rankings.
In some incidents, attackers planted bogus plugins that shared the same name as the compromised site. These plugins stay dormant under normal conditions but activate when they sense search engine bots. Once triggered, they serve up fake content meant to boost the rankings of sites controlled by the attackers. Another serious case involved a supply chain breach, where tainted versions of the Gravity Forms plugin were made available through the official distribution channel. These versions silently disable updates, reach out to attacker-run servers, and create hidden admin accounts, handing full control of the website over to the intruders.
This wave shows a clear shift toward stealthy client-side tactics that blend cryptomining, data theft, SEO abuse, and plugin tampering to sustain long term exploitation.
