A keylogger has been discovered in at least 2,000 WordPress sites. The threat actors searched for unsecured WordPress sites – often running older versions, themes, or plugins – and exploited known vulnerabilities to inject malicious code into their source code. The malicious code loads a keylogger hosted on a third-party domain and an in-browser cryptocurrency miner to mine Monero using the CPU power of site visitors. This campaign has been ongoing since April 2017, utilizing various third-party domains to host the keylogger. The NJCCIC recommends all WordPress site administrators review the Sucuri report, check sites for suspicious scripts and unauthorized changes, implement a web application firewall (WAF) to identify and prevent modifications of core WordPress files, and always keep WordPress and any installed plugins up-to-date.