Cybersecurity experts have reported a large-scale campaign that has compromised more than 269,000 legitimate websites through malicious JavaScript injections, termed JSFireTruck by researchers at Palo Alto Networks’ Unit 42. The injections utilize a unique obfuscation technique known as JSFuck, which employs a limited character set for code execution, thus disguising its true intent.
Unit 42 noted that the malicious scripts are ingeniously crafted to identify the referrer address of incoming traffic. When the referrer is recognized as a search engine like Google or Bing, victims are rerouted to harmful URLs that may deliver malware, exploits, or unwanted ads. The widespread nature of this infection raises serious concerns about cybersecurity and the safety of web browsing.
In a concerning update, telemetry data revealed that a spike in infections was recorded on April 12, 2025, with over 50,000 infected pages documented in a single day. The team’s analysis highlighted the stealth and scale of this attack, indicating a coordinated effort to exploit legitimate websites as vectors for further malicious operations. The sophisticated nature of this campaign poses a significant risk to users and underscores the need for vigilant online security practices.
Researchers also flagged the emergence of a new Traffic Distribution Service (TDS) named HelloTDS, which redirects users based on the results of a multi-stage fingerprinting process that evaluates geolocation, IP address, and browser information. If determined to be suitable targets, users may encounter phishing schemes that lead to tech support scams or malware infections.