A malicious WordPress plugin disguised as "Yoast SEO" was found injecting a fake "Java Update" pop-up to trick users into downloading malware. The plugin injects JavaScript into the of pages, avoiding macOS, mobile, and Safari users.

A fake Google Meet page was discovered, designed to trick users into running a malicious PowerShell command under the guise of fixing a "Microphone Permission Denied" error.

A new malware campaign is targeting WordPress sites by impersonating a Cloudflare verification page. This multistage infection uses social engineering and obfuscated PowerShell commands to deliver a malicious Windows executable

The attackers used multiple stealthy methods to evade detection: naming the plugin an innocent-sounding name, and hiding it in the WordPress plugins directory versus a core file to avoid being found by integrity checks.

The WordPress malware injection attempts to trick unsuspecting victims into executing malicious Powershell commands within Windows OS environments to infect their computers with backdoors.

Analyzing the decoded version of the malicious script reveals that it first checks whether the user is on the checkout page and ensures the script hasn’t run yet in the current session.

The malicious code was found in the database table cms_block.content and was disguised as a standard Google Tag Manager and Google Analytics tracking script. It contained an encoded JavaScript payload designed to collect user data during checkout.

The credit card skimmer silently injects malicious JavaScript into database entries to steal sensitive payment details. The malware activates on checkout pages by hijacking existing payment fields or injecting a fake credit card form.

This malware dynamically creates a fake credit card form or extracts payment fields directly depending on the variant of the malware, activating only on checkout pages. The stolen data is then encrypted and exfiltrated to a remote server.

A recent WooCommerce skimming attack used a creative method to steal credit card details by hiding malicious code within style tags and embedding a fake payment overlay in an image file disguised as a favicon.