There is a long-lasting malware campaign (dating back to at least 2016) that injects fake jQuery scripts:
<script type="text/javascript" src="hxxps://www.XX[X]wp[.]org/jquery.js"></script>
Where XX[X] are 2 or 3 random characters.
This Twitter thread mentions some of them:
Empty JS injection hxxp://9iwp[.]org/jquery.js” found on 1000+ WooCommerce sites. Registered Aug 5th. Expanding network before activation payload? https://t.co/ak0r7U9mTC
— Willem de Groot (@gwillem) August 31, 2018
We’ve compiled a longer list of the fake jQuery URLs employed by this campaign, along with numbers of websites PublicWWW currently finds them on:
- www.9iwp[.]org/jquery.js – 6473
- www.34wp[.]org/jquery.js – 2830
- www.3vwp[.]org/jquery.js – 2552
- www.7owp[.]org/jquery.js – 1248
- www.57wp[.]org/jquery.js – 168
- www.29wp[.]org/jquery.js – 115
- www.j3wp[.]org/jquery.js – 85
- www.i1wp[.]org/jquery.js – 51
- www.i7wp[.]org/jquery.js – 17
- www.x5wp[.]org/jquery.js – 12
- www.i2wp[.]org/jquery.js – 8
- www.35wp[.]org/jquery.js – 6
- www.75wp[.]org/jquery.js – 4
- www.10wp[.]org/jquery.js – 3
- www.I0wp[.]org/jquery.js – 3
- www.I3wp[.]org/jquery.js – 3
- www.61wp[.]org/jquery.js – 3
Rianna MacLeod
Marc-Alexandre Montpas
Douglas Santos
Moe O
Daniel Cid