Security researchers have uncovered a large and growing cyberattack campaign that has infected hundreds of thousands of legitimate websites with malicious JavaScript code.
The culprits behind this operation are using an obscure but powerful JavaScript obfuscation method dubbed JSFireTruck, a nickname coined by Palo Alto Networks’ Unit42 researchers.
At the heart of this campaign is an unusually disguised form of JavaScript that appears almost unreadable to the average developer. Instead of normal words and functions, the malicious code is constructed using a set of symbols: [, ], +, !, (, and ). These characters are manipulated using JavaScript’s own rules to recreate any code the attacker wants, without revealing the code’s real purpose.
How JSFireTruck works
Attackers inject this obfuscated JavaScript into trusted websites. The code appears strange and unreadable at first glance, often consisting of combinations like +[] and!.[], or ({}+[]). But beneath the mess lies a powerful script.
“The code’s obfuscation hides its true purpose, hindering analysis,” said researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal in a report by Unit 42.
The injected malicious code operates by checking the “document.referrer,” which essentially indicates the website from which a visitor came. If the referrer is a popular search engine such as Google, Bing, DuckDuckGo, Yahoo!, or AOL, the JSFireTruck redirects the victim to harmful URLs.
These malicious destinations can lead to a variety of unwanted outcomes, including malware downloads, exploits, malvertising, and traffic monetization schemes. In some cases, the script loads an invisible iframe that covers the entire browser window, hiding the real website content and forcing users to interact with the attacker’s page instead.
The campaign’s deceptive nature means that a website might appear perfectly normal to a casual observer while secretly diverting a portion of its traffic to nefarious sites.
The scale of the JSFireTruck campaign is a major concern for cybersecurity experts. Between March 26 and April 25, 2025, Unit42 telemetry detected a staggering 269,552 webpages infected with this JavaScript code. A notable surge in activity was observed on April 12, when over 50,000 infected webpages were recorded in a single day.
“The campaign’s scale and stealth pose a significant threat,” the Unit42 researchers emphasized. “The widespread nature of these infections suggests a coordinated effort to compromise legitimate websites as attack vectors for further malicious activities.”
SEE: Quick Glossary: Malware (TechRepublic Premium)
How to stay protected
Experts warn that the silent nature of these attacks makes them particularly dangerous. Many website owners may not even know their sites are infected.
Unit42 recommends that web administrators regularly scan and update their websites, monitor for unexpected scripts, and use advanced security tools to detect obfuscated threats. Website owners should closely monitor traffic analytics and conduct regular audits of their web content for suspicious code, particularly if their sites heavily rely on third-party scripts or plugins.
