Fake Wp.org/jquery.js

Labs Note

There is a long-lasting malware campaign (dating back to at least 2016) that injects fake jQuery scripts:

<script type="text/javascript" src="hxxps://www.XX[X]wp[.]org/jquery.js"></script>

Where XX[X] are 2 or 3 random characters.

This Twitter thread mentions some of them:

 

We’ve compiled a longer list of the fake jQuery URLs employed by this campaign, along with numbers of websites PublicWWW currently finds them on:

  • www.9iwp[.]org/jquery.js – 6473
  • www.34wp[.]org/jquery.js – 2830
  • www.3vwp[.]org/jquery.js – 2552
  • www.7owp[.]org/jquery.js – 1248
  • www.57wp[.]org/jquery.js – 168
  • www.29wp[.]org/jquery.js – 115
  • www.j3wp[.]org/jquery.js – 85
  • www.i1wp[.]org/jquery.js – 51
  • www.i7wp[.]org/jquery.js – 17
  • www.x5wp[.]org/jquery.js – 12
  • www.i2wp[.]org/jquery.js – 8
  • www.35wp[.]org/jquery.js – 6
  • www.75wp[.]org/jquery.js – 4
  • www.10wp[.]org/jquery.js – 3
  • www.I0wp[.]org/jquery.js – 3
  • www.I3wp[.]org/jquery.js – 3
  • www.61wp[.]org/jquery.js – 3
You May Also Like