<p>Recently we wrote about how GitHub/GitHub.io was used in attacks that injected cryptocurrency miners into compromised websites. Around the same time, we noticed another attack that also used GitHub for serving malicious code.</p>
Encrypted CoinHive Miner in Header.php
The following encrypted malware was found in the header.php file of the active WordPress theme:
There are four lines of code in total. Each, when decoded, plays a different role.
When decoded, the last two lines inject typical CoinHive cryptocurrency miners:
The miner is only shown conditionally, so bots are excluded and only human visitors will receive it.