A malware campaign infects WordPress sites via compromised credentials, vulnerable themes/plugins, or supply-chain attacks, using Steam Community profile comments to hide its command-and-control data. The malware decodes hidden Unicode characters from comments to construct a URL for a malicious JavaScript file, which injects a backdoor into WordPress pages. Site owners should check for Steam Community URLs, suspicious JavaScript injections, and outbound connections to hello-mywordl[.]info, and restore from a known good backup for remediation.
Malware Malware hides in Steam comments to infect WordPress sites June 1, 2026 Share By SC Staff Nearly 2,000 WordPress websites have been infected with malware that uses Steam Community profile comments to conceal command-and-control data. This tactic allows attackers to avoid maintaining separate infrastructure and evade detection methods, according to a recent report by Bleeping Computer. The malware campaign, discovered in July 2025, has affected approximately 1,980 WordPress sites. Researchers from GoDaddy suspect initial infection vectors include compromised login credentials, vulnerable themes or plugins, or supply-chain attacks. The first-stage malware extracts encoded payloads from seemingly benign comments on Steam profiles, utilizing invisible Unicode characters to hide malicious scripts. These characters are decoded into binary data, which then constructs a URL pointing to a malicious JavaScript file disguised as a legitimate library. This script is injected into WordPress pages, ultimately installing a backdoor. The backdoor responds to specific POST requests with an authentication cookie, allowing it to receive base64-encoded PHP code. The malware employs evasion techniques like obfuscated strings and randomized function names. Site owners can defend against this threat by checking for Steam Community URLs, suspicious JavaScript injections, and outbound connections to hello-mywordl[.]info, among other indicators. Restoring from a known good backup is the recommended remediation, as manual cleaning requires thoroughness to prevent reinfection through the backdoor. Source: Bleeping Computer SC Staff Related Ransomware ‘Claude Code install’ search result leads to ClickFix infostealer attack Laura French May 29, 2026 The attack leverages a polyglot file, heavy obfuscation and fileless execution to evade detection. Malware BTMOB Android RAT poses significant threat with easy-to-use builder SC Staff May 27, 2026 First identified in February 2025, BTMOB evolved from the SpySolr malware. Malware Fake AI tool websites used to steal developer data SC Staff May 26, 2026 The attack campaign employs SEO poisoning to elevate fake installation pages in search engine results, leading developers searching for AI tools like Google Gemini CLI or Anthropic's Claude Code to typosquatted domains. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware You can skip this ad in 5 seconds