A widespread cyber campaign has infected more than 269,000 legitimate websites with JavaScript malware known as JSFireTruck, posing a serious threat to users and organizations worldwide.
Between March 26 and April 25, 2025, Palo Alto Networks Unit 42 detected a sudden wave of malicious JavaScript code infecting websites. Researchers identified 269,552 unique pages compromised during that period, with a single-day spike of over 50,000 sites logged on April 12. The attack leverages JSFireTruck, an obfuscated form of JSFuck code, hiding its true purpose and evading detection.
The injected script checks users’ document.referrer values. If visitors arrive from search engines like Google or Bing, they are silently redirected to malicious destinations. These redirections can lead to malware downloads, exploit kits, malvertising campaigns, and potentially harmful content.
Unit 42 linked these infections to the HelloTDS traffic distribution service. This multi-stage infrastructure delivers obfuscated JavaScript through .top, .shop, and .com domains. It tracks visitor details like location, browser fingerprint, and VPN usage. Targets then receive fake CAPTCHA prompts or scam offers while others see normal content.
JSFireTruck and HelloTDS blend stealth with scale. The obfuscation complicates malware analysis. Fingerprinting ensures only real victims get targeted content. Preliminary payloads include PEAKLIGHT loaders that deploy info-stealing tools like Lumma Stealer. This camouflage makes detection and defense especially difficult.
Any user visiting a compromised site via search engine could be redirected. Even secure sites can serve harmful scripts without alerting administrators. The campaign targets a wide range of industries and sectors globally, making it highly unpredictable.
Security experts urge webmasters to scan sites for strange obfuscated JavaScript. Use endpoint protection tools that detect JSFireTruck patterns. Users should install adblockers or script-blocking plugins to prevent malicious code execution. Testing untrusted URLs in sandboxed environments can also reduce exposure.
Stay updated on cybersecurity alerts and make sure your browser, plugins, and security tools are always current.