Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

There is a long-lasting malware campaign (dating back to at least 2016) that injects fake jQuery scripts:

<script type="text/javascript" src="hxxps://www.XX[X]wp[.]org/jquery.js"></script>

Where XX[X] are 2 or 3 random characters.

This Twitter thread mentions some of them:


We’ve compiled a longer list of the fake jQuery URLs employed by this campaign, along with numbers of websites PublicWWW currently finds them on:

  • www.9iwp[.]org/jquery.js - 6473
  • www.34wp[.]org/jquery.js - 2830
  • www.3vwp[.]org/jquery.js - 2552
  • www.7owp[.]org/jquery.js - 1248
  • www.57wp[.]org/jquery.js - 168
  • www.29wp[.]org/jquery.js - 115
  • www.j3wp[.]org/jquery.js - 85
  • www.i1wp[.]org/jquery.js - 51
  • www.i7wp[.]org/jquery.js - 17
  • www.x5wp[.]org/jquery.js - 12
  • www.i2wp[.]org/jquery.js - 8
  • www.35wp[.]org/jquery.js - 6
  • www.75wp[.]org/jquery.js - 4
  • www.10wp[.]org/jquery.js - 3
  • www.I0wp[.]org/jquery.js - 3
  • www.I3wp[.]org/jquery.js - 3
  • www.61wp[.]org/jquery.js - 3