The Coinhive crypto mining code has been recently detected on more than 300 government and university websites worldwide, cyber security researcher Troy Mursch reported Saturday, May 5. According to the report, all the affected websites are using a vulnerable version of the Drupal content management system.

As the researcher posted on Twitter May 4, he was alerted to this particular campaign via the attack on the websites of the San Diego Zoo, and the government of Chihuahua, Mexico. Both websites reportedly had Coinhive injected into their Javascript libraries in the same way.

Coinhive is a JavaScript program created to mine Monero (XMR) via a web browser. It is marketed to website owners as an alternative form of monetization, instead of online advertising.

According to Mursch, this recent “high-profile” case of cryptojacking – the use of another’s device to mine crypto without their knowledge – infected 348 websites, including such websites as The National Labor Relations Board, a U.S. federal agency, and the Lenovo user account website.

As Mursch discovered, most of affected sites’ domains were in the U.S. and mainly hosted on Amazon. The full list of infected websites is attached to the original report.

Since its creation in 2017, malicious deployment of the Coinhive miner have led to it becoming the number one “Most Wanted Malware”, according to a Jan. 2018 report.

Coinhive has in fact been used as an alternative for online ads, which can be less malicious but still misleading, by high-profile brands such as Salon and The Pirate Bay.

Back in January, Cointelegraph reported a massive cryptojacking incident that caused 55 percent of online businesses, including Youtube, to unknowingly run crypto miners on websites via the Google DoubleClick advertising platform. According to the report, 90 percent of the ads were using the Coinhive miner.