New JavaScript Attack Hijacking Government And University Websites

A sophisticated client-side JavaScript attack has compromised over 500 websites, including high-profile government and university domains. 

The malicious campaign, which injects hidden links into the Document Object Model (DOM), is believed to be part of a black hat Search Engine Optimization (SEO) effort to manipulate search engine rankings.

According to Cside researchers the attack involves the injection of JavaScript hosted on the domain scriptapi[.]dev. The scripts generate invisible links pointing to external websites, leveraging reputable domains to boost the SEO value of these external sites. 

These links are styled using CSS to remain hidden from users:

The malicious scripts are distributed across multiple endpoints, including:

• scriptapi[.]dev/api/smacr[.]js
• scriptapi[.]dev/api/en[.]tlu[.]js
• scriptapi[.]dev/api/sie[.]tlu[.]js
• scriptapi[.]dev/api/ppymca[.]js
• scriptapi[.]dev/api/pbsgc[.]js
• scriptapi[.]dev/api/adventum[.]js
• scriptapi[.]dev/api/harvardpress[.]js
• scriptapi[.]dev/api/krachelart[.]js
• scriptapi[.]dev/api/malagaadventures[.]js

The c/side researchers identified the malicious domain on January 20, 2025, but no major threat feeds have flagged it yet.

Technical Mechanism

The attack operates in two primary steps:

• Retrieve Script Location: Using document.currentScript, the script identifies its position in the DOM.
• Inject Hidden Links: It employs the insertAdjacentHTML(‘beforebegin,’ linksHTML) method to insert hidden links just before the script tag in the DOM.

These hidden links are indexed by search engines, attributing SEO value to external sites without user visibility or awareness.

Scope Of Impact

The attack targets a wide range of websites using various frameworks, highlighting its broad applicability. Affected platforms include:

• WordPress 6.7.1
• MS ASP.NET
• vBulletin
• PHP CodeIgniter
• 1C-Bitrix

To protect against such attacks, organizations should implement robust security measures:

• Content Security Policy (CSP): Restrict script sources to trusted domains using CSP headers.
• Subresource Integrity (SRI): Use SRI to verify the integrity of externally hosted scripts via cryptographic hashes.
• DOM Monitoring: Employ tools to detect unauthorized DOM changes and hidden element injections.
• Audit Third-Party Scripts: Periodically review dependencies for unauthorized modifications or vulnerabilities.
• Web Application Firewalls (WAF): Deploy WAFs to block suspicious traffic and unauthorized script inclusions.
• Update CMS Platforms: Regularly update platforms like WordPress and remove unused plugins to minimize vulnerabilities.

This JavaScript attack highlights the persistent threat posed by black hat SEO campaigns and supply chain vulnerabilities in web development. 

Organizations must adopt proactive measures like CSP, SRI, and regular audits to safeguard their digital assets against such sophisticated threats.