Overview
- GoDaddy disclosed on June 1–2, 2026 that researchers found about 1,980 WordPress sites infected by a multi-stage campaign that remains active and hard to remove.
- The campaign reads Steam Community profile comments for six invisible Unicode characters and decodes them into binary commands that tell infected sites where to fetch code.
- Decoded data builds URLs to hello-mywordl[.]info where a script named to look like a common library (for example lodash.core.min.js) is enqueued on every frontend page.
- A server-side backdoor installed on infected sites listens during page loads for authenticated POST requests using cookies such as tEcaKKXEsb and a new_code parameter to deliver base64 PHP that can overwrite plugin and theme files.
- GoDaddy published indicators and recovery advice and urges site owners to restore from known-clean backups or perform exhaustive file and database checks because the backdoor can reinstall components and partial cleanup is likely to fail.