Over 3,500 Websites Compromised in Stealthy JavaScript Cryptojacking Campaign

A newly discovered browser-based cryptojacking campaign has compromised over 3,500 websites worldwide, marking the return of in-browser cryptocurrency mining—a tactic once popularized by now-defunct services like CoinHive.

Security researchers from c/side identified the campaign, which uses obfuscated JavaScript to stealthily mine cryptocurrency using the visitor’s browser resources without their knowledge or consent.

How the Attack Works

The injected JavaScript code is designed to:

• Assess the device's computing power.

• Spawn Web Workers in the background to distribute mining tasks across multiple threads.

• Use WebSockets to connect to a remote server that dynamically assigns mining jobs.

• Throttle resource usage to avoid noticeable performance drops, allowing it to evade user detection and security tools.

These techniques allow the attacker to prolong mining sessions by maintaining a low profile, gradually siphoning CPU power for cryptocurrency generation.

Scale and Infrastructure

The JavaScript miner is served from a domain that has previously been linked to Magecart credit card skimming attacks, indicating that the same infrastructure is now used for multiple malicious campaigns. This reuse of resources suggests a deliberate effort to diversify attack vectors and maximize revenue.

The goal is no longer brute-force exploitation, but instead persistent, low-impact cryptojacking that flies under the radar—“like a digital vampire,” as c/side puts it.

Magecart Connections and Related Threats

This campaign coincides with a Magecart skimming operation targeting East Asian e-commerce platforms using OpenCart CMS. Threat actors injected fake checkout forms to steal payment card data, which is then exfiltrated to remote servers.

Additionally, a surge in client-side website attacks has been observed, including:

• Abuse of legitimate Google OAuth endpoints to redirect users to malicious JavaScript payloads.

• Injection of Google Tag Manager (GTM) scripts directly into WordPress databases.

• Compromising WordPress theme footers and core files like wp-settings.php to establish persistent backdoors.

• Use of fake WordPress plugins that activate only when search engine crawlers are detected.

• Supply chain attacks involving backdoored versions of Gravity Forms that add hidden admin users and contact external C2 servers.

Recommendations

• Regularly audit website files and databases for unauthorized changes.

• Keep WordPress and plugins up to date from verified sources only.

• Monitor for unusual outbound traffic, particularly WebSocket connections.

• Use Web Application Firewalls (WAFs) and integrity monitoring tools to detect injection attempts.

As website-focused threats continue to evolve, maintaining defense-in-depth and vigilant patching remains essential to avoid being unknowingly turned into part of a cybercriminal's infrastructure.