On more than 500 government and university websites around the world, a new attack was discovered using JavaScript. Attackers introduced harmful scripts that create hidden links in DOM (Document Object Model), which redirect users to third-party resources. The attack was identified on January 20, 2025, but as of January 22, not a single threat detection system recorded this activity.
According to C/C/C/C/ Side, the goal of the attack is to use the methods of “black” SEO-optimization. Malicious links introduced into the code are visually hidden using CSS. One example of the style used:
This approach allows the links to remain inconspicuous for users, while they are indexed by search engines, increasing the rating of related resources. Scripts are placed on the SCRIPTAPI.DEV domain, where several of their varieties are revealed, for example:
- scriptapi.DEV/API/Smacr.JS
- scriptapi.DEV/API/EN.TLU.JS
- scriptapi.DEV/API/Harvardpress.Js
The script operating mechanism includes the determination of the location in DOM using the Document.currentScript method and the implementation of links in front of the tag.
Among the injured sites are resources using popular platforms and frameworks: WordPress 6.7.1, MS ASP.NET, VBULLETIN, PHP Codeigniter and even 1C-bitrix. The list of such sites can be found on the platforms Publicwwwwwwwwwwwwwwwwwwwwwwwwws and urlscan.
This attack emphasizes the growing risks of the supply chain in web development. The use of third-party scripts makes websites vulnerable to such attacks, since they have direct access to DOM and can perform any actions in the user browser.
Protection for protection for web resources for administrators:
- Update and audit plugins – check the plugins used, remove unused and make sure of their relevance.
- CSP (Content Security Policy) – restrict