Crooks compromise WordPress sites to push infostealers via fake CAPTCHA prompts
Summary
Researchers at Rapid7 say criminals quietly compromised more than 250 legitimate WordPress websites across at least 12 countries and injected code that serves visitors a convincing fake Cloudflare CAPTCHA. Instead of a normal bot check, the prompt tells users to copy and paste a command into their machine — which then downloads and installs an infostealer that harvests browser-stored credentials, authentication cookies, and cryptocurrency wallet data. Rapid7 notes the campaign has been active in this form since December 2025 and appears to be highly automated; they notified US authorities after finding an affected US Senate candidate’s campaign page.
Key Points
- Rapid7 identified over 250 compromised WordPress sites across 12+ countries, including media outlets, small businesses and a US Senate candidate’s official page.
- Attackers inject malicious code to display a fake Cloudflare CAPTCHA that instructs visitors to run a command — a social-engineering technique linked to the ClickFix playbook.
- If followed, the instructions install an infostealer that quietly exfiltrates credentials, cookies and crypto wallet information.
- Stolen data is routinely sold on cybercrime marketplaces, enabling further account takeovers without fresh intrusions.
- Campaign infrastructure dates back to mid‑2025 and the observed activity since December 2025 suggests large-scale automation and a sustained criminal effort.
- Using legitimate, trusted sites as delivery mechanisms helps the attackers evade detection and exploit user trust in familiar domains.
Context and Relevance
This campaign highlights the risk of trusting third-party sites and common UX patterns. By mimicking a familiar Cloudflare CAPTCHA, attackers lower suspicion and rely on victims to execute the compromise themselves. It’s especially relevant to WordPress administrators, site owners, security teams and anyone who might paste terminal commands from a webpage. The incident underscores two trends: criminal reuse of social-engineering playbooks (ClickFix-style) and the weaponisation of reputable sites as delivery vectors.
Why should I read this?
Because it’s exactly the kind of neat little con that’ll nab your passwords while you think you’re just proving you’re not a bot. If you manage WordPress sites, handle user security, or ever paste commands from web pages — pay attention. We’ve done the legwork so you don’t have to wade through the full Rapid7 write-up first.
Author style
Punchy — the story is short but important. The scale and automation mean this isn’t a one-off prank: if you care about account security or run web properties, the full details and mitigations are worth reading.