A long-running malware campaign infected about 1,980 WordPress websites and hid its command-and-control data inside Steam Community profile comments. GoDaddy says the malware, tracked since July 2025, uses invisible Unicode characters in Steam comments to encode a payload that builds a hello-mywordl[.]info URL, then injects JavaScript disguised as common libraries and installs a PHP backdoor that executes code sent in specially crafted POST requests with a specific cookie. The initial compromise route is unknown but may involve stolen WordPress or FTP credentials, vulnerable themes or plugins, or a supply-chain compromise.
Why it matters: WordPress site owners and hosting teams should treat this as an active website compromise, not just a nuisance script, because it includes a persistent backdoor that can reinfect a site if cleanup is incomplete. Check for outbound requests to Steam from WordPress servers, suspicious JavaScript injections, and restore from a known-good backup where possible.
Bill Toulas
2026.06.01
100% relevant
This article establishes a distinct malware campaign centered on WordPress infections that conceal payloads in Steam profile comments, with no matching tracked story covering this same operation.
← Back to all stories