More than 1,000 WordPress websites have been compromised with malicious JavaScript code that installs four separate backdoors, according to security researcher Himanshu Anand from c/side. The attack uses multiple backdoors to ensure persistent access even if one is discovered and removed.

The malicious code is being served through cdn.csyndication[.]com, with at least 908 websites currently referencing this domain. The four backdoors function as follows:

1. Uploads and installs a fake plugin called “Ultra SEO Processor” to execute attacker commands
2. Injects malicious JavaScript into the wp-config.php file
3. Adds attacker-controlled SSH keys to enable persistent remote access
4. Executes remote commands and fetches additional payloads from gsocket[.]io, likely to establish reverse shells

Security experts recommend that affected users delete unauthorized SSH keys, change WordPress admin credentials, and monitor system logs for suspicious activity.

In a separate campaign, over 35,000 websites have been infected with malicious JavaScript that redirects visitors to Chinese gambling platforms. This attack targets Mandarin-speaking regions and operates through five different domains serving as loaders for the redirection payload.

Additionally, Group-IB has identified a threat actor named ScreamedJungle that targets Magento e-commerce sites. This group injects “Bablosoft JS” code to collect browser fingerprinting data from visitors. At least 115 e-commerce sites have been compromised through known Magento vulnerabilities, including CVE-2024-34102 and CVE-2024-20720. The campaign, first detected in May 2024, demonstrates how browser fingerprinting techniques can be weaponized for fraudulent activities.