Linkedin Tag

Back to blog

Government and university websites targeted in ScriptAPI[.]dev client-side attack

Tuesday, January 21st, 2025

H

Himanshu Anand

Yesterday we discovered another client-side JavaScript attack targeting +500 websites, including governments and universities. The injected scripts create hidden links in the Document Object Model (DOM), pointing to external websites, a programming interface for web documents.

As of now, no threat feeds have detected this attack.

We believe this is a black hat Search Engine Optimization (SEO) campaign. The injected scripts create hidden links, pointing to external websites. These links are styled to be invisible to users using CSS:

style="overflow: auto; position: absolute; height: 0pt; width: 0pt;"

The malicious scripts are hosted at scriptapi[.]dev. We found multiple variants of the same script, hosted on the same domain:

  • scriptapi[.]dev/api/smacr[.]js
  • scriptapi[.]dev/api/en[.]tlu[.]js
  • scriptapi[.]dev/api/sie[.]tlu[.]js
  • scriptapi[.]dev/api/ppymca[.]js
  • scriptapi[.]dev/api/pbsgc[.]js
  • scriptapi[.]dev/api/adventum[.]js
  • scriptapi[.]dev/api/harvardpress[.]js
  • scriptapi[.]dev/api/krachelart[.]js
  • scriptapi[.]dev/api/malagaadventures[.]js

Our domain directory identified the malicious domain on January 20th, 2025.

The Script’s Mechanism:

  1. Retrieve the script tag:Using document.currentScript, the malicious script identifies its location in the DOM.
  2. Inject hidden links:It uses the insertAdjacentHTML('beforebegin', linksHTML) method to insert the links before the script tag in the DOM.

A screenshot taken from an affected website, showing multiple domains being visibly hidden:

const linksHTML = `
<div style="text-align: center; display: table-column">
<a href="https://fullfilmizle[.]net/" title="full film izle">full film izle</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://myremedyproducts[.]com" title="myremedyproducts[.]com">myremedyproducts[.]com</a>
<a href="https://albalondres[.]com" title="albalondres[.]com">albalondres[.]com</a>
<a href="https://kineticartstucson[.]com" title="kineticartstucson[.]com">kineticartstucson[.]com</a>
<a href="https://stolenbeauty[.]org" title="stolenbeauty[.]org">stolenbeauty[.]org</a>
<a href="https://www.bilgihocasi[.]com" title="www.bilgihocasi[.]com">www.bilgihocasi[.]com</a>
<a href="https://joinoilfield[.]com" title="joinoilfield[.]com">joinoilfield[.]com</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://betswot[.]com" title="starzbet">starzbet</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://alanyasmmm[.]com/" rel="dofollow">alanya escort</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://nevizadecafe[.]com/" title="deneme bonusu">deneme bonusu</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://alansh[.]com" title="tlcasino">tlcasino</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://pmtips[.]net/">crackstreams</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="http://lasip[.]net/" title="antalya escort bayan">antalya escort bayan</a>
<a href="http://www.niceescorts[.]com/" title="antalya escort">antalya escort</a>
<a href="https://www.shushescort[.]com/" title="istanbul escort bayan">istanbul escort bayan</a>
<a href="https://servissirinevler[.]com/" title="şirinevler escort bayan">şirinevler escort bayan</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://www.umraniyeti[p.]net/anadolu-yakasi/kadikoy-escort/">escort kadıköy</a>
<a href="http://www.doescorts[.]com/">www.doescorts[.]com</a>
<a href="http://www.umraniyeescorts[.]com/">ümraniye escort bayanlar</a>
<a href="http://www.maltepeescort[.]com/">escort maltepe</a>
<a href="https://pendikroyal[.]com/">pendik escort</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://www.xxxpornxxx[.]net/video/12776/nunziato-xxx-porn/" title="nunziato xxx porn">nunziato xxx porn</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://www.ipsnews[.]net/">streameast</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://yatirimbonusu[.]com/" title="deneme bonusu veren siteler">deneme bonusu veren siteler</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://justgpu[.]com/" title="deneme bonusu veren siteler">deneme bonusu veren siteler</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://sojienergy[.]com/" title="deneme bonusu veren siteler">deneme bonusu veren siteler</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://romabet.online" target="_blank" title="romabet giriş">romabet giriş</a>
<a href="https://betgargirisyap[.]com" target="_blank" title="betgar giriş">betgar giriş</a>
<a href="https://romabetgiris3[.]com" target="_blank" title="romabet giriş">romabet giriş</a>
<a href="https://roketbetgirisyap[.]com" target="_blank" title="roketbet giriş">roketbet giriş</a>
<a href="https://roketbet[.]net" target="_blank" title="roketbet giriş">roketbet giriş</a>
<a href="https://roketbetgiris[.]com" target="_blank" title="roketbet giriş">roketbet giriş</a>
<a href="https://ligobetbahis[.]com/" target="_blank" title="ligobet giriş">ligobet giriş</a>
<a href="http://ligobet1[.]net" target="_blank" title="ligobet giriş">ligobet giriş</a>
<a href="https://ligobetgiris[.]org/" target="_blank" title="ligobet giriş">ligobet giriş</a>
<a href="https://ligobetgirisi[.]com/" target="_blank" title="ligobet giriş">ligobet giriş</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://denemebonususiteleri[.]net/" title="deneme bonusu veren siteler">deneme bonusu veren siteler</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://princearthurherald[.]com/" title="deneme bonusu veren siteler">deneme bonusu veren siteler</a>
<a href="https://westpasco[.]com/" title="deneme bonusu veren siteler">deneme bonusu veren siteler</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://www.airstreamofchicago[.]com/" title="casino siteleri">casino siteleri</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://chrisspielman[.]com/" title="deneme bonusu" target="_blank">deneme bonusu</a>
<a href="https://www.bestwesterndesignerinn[.]com/" title="deneme bonusu veren siteler" target="_blank">deneme bonusu veren siteler</a>
<a href="https://www.catch25li[.]com/" title="Canlı casino siteleri" target="_blank">Canlı casino siteleri</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="http://1xbetm[.]info/" title="1xbet giriş">1xbet giriş</a>
<a href="https://xslotx[.]com/trx/" title="xslot giriş">xslot giriş</a>
<a href="https://zbahisz[.]com/zb/" title="zbahis">zbahis</a>
<a href="https://betturkeygiris[.]org/tur/" title="betturkey giriş">betturkey giriş</a>
<a href="https://www.trbetr[.]com/" title="trbet">trbet</a>
<a href="https://www.wiibet[.]com/tr10/" title="betist">betist</a>
<a href="https://babilonbeto[.]com/" title="babilonbet">babilonbet</a>
<a href="https://betrollere[.]com/" title="betroller">betroller</a>
<a href="https://bahisbudurtr[.]com/" title="bahisbudur">bahisbudur</a>
<a href="https://www.bahiscom[.]info/tr/" title="bahis[.]com">bahis[.]com</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://siliconvalleywineries[.]com/" title="deneme bonusu veren siteler" target="_blank">deneme bonusu veren siteler</a>
<a href="https://tapoutdrinks[.]com/" title="casino siteleri" target="_blank">casino siteleri</a>
<a href="https://www.qujapan1635[.]com/" title="bahis siteleri" target="_blank">bahis siteleri</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://buy.fans/" title="buy.fans">buy.fans</a>
</div>
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a href="https://mobilbahisgir[.]net/" title="mobilbahis">mobilbahis</a>
<a href="https://rokubetgir[.]com/" title="rokubet">rokubet</a>
</div>
`;
const scriptTag = document.currentScript;
scriptTag.insertAdjacentHTML('beforebegin', linksHTML);

The goal of this attack

These invisible links are indexed by search engines. These search engines detect the links on reputable websites and attribute SEO value to them. These links are hidden, so they don’t disrupt the user experience or be easily detected by the website owners.

Approaches like these are often called black hat SEO techniques.

We found over 500 websites affected by this campaign, including major government and university domains. Affected sites used a wide range of frameworks, indicating the attack's broad scope:

  • WordPress 6.7.1
  • MS ASP[.]NET
  • vBulletin
  • PHP CodeIgniter
  • 1C-Bitrix

Most of these websites are public here:

https://publicwww.com/websites/scriptapi.dev/
https://urlscan.io/search/#scriptapi.dev

Broader Implications

This attack highlights the growing risk of supply chain attacks in web development. Third-party scripts are often a point of weakness due to their direct access to the DOM. This allows them to perform virtually any action in the user's browser, the end point of the web supply chain.

How to prevent attacks like these

c/side can spot, alert and block attacks like these due to our advanced detection engine and proxy. If you’re not a c/side customer, here are other steps you can take:

  1. Implement a Content Security Policy (CSP):Restrict the inclusion of third-party scripts to trusted domains.
  2. Use Subresource Integrity (SRI):Validate the integrity of externally hosted scripts by comparing hashes.
  3. Monitor DOM Changes:Use tools or scripts to detect unauthorized DOM modifications, especially the injection of hidden elements.
  4. Regularly Audit Third-Party Scripts:Periodically review dependencies and ensure no unauthorized changes have been made.
  5. Use Web Application Firewalls (WAF):Protect your website from suspicious traffic and unauthorized script inclusions.

Start using c/side for free today or contact us to mitigate risks

H

More About Himanshu Anand

I'm a software engineer and security analyst at c/side.