More than 2,000 websites running the open source WordPress content management system are infected with malware, researchers warned late last week. The malware in question logs passwords and just about anything else an administrator or visitor types.

The keylogger is part of a malicious package that also installs an in-browser cryptocurrency miner that's surreptitiously run on the computers of people visiting the infected sites. Data provided here, here, and here by website search service PublicWWW showed that, as of Monday afternoon, the package was running on 2,092 sites.

Website security firm Sucuri said this is the same malicious code it found running on almost 5,500 WordPress sites in December. Those infections were cleaned up after cloudflare[.]solutions—the site used to host the malicious scripts—was taken down. The new infections are hosted on three new sites, msdns[.]online, cdns[.]ws, and cdjs[.]online. None of the sites hosting the code has any relation to Cloudflare or any other legitimate company.

"Unfortunately for unsuspecting users and owners of the infected websites, the keylogger behaves the same way as in previous campaigns," Sucuri researcher Denis Sinegubko wrote in a blog post. "The script sends data entered on every website form (including the login form) to the hackers via the WebSocket protocol."

The attack works by injecting a variety of scripts into WordPress websites. The scripts injected in the past month include:

hxxps://cdjs[.]online/lib.js

hxxps://cdjs[.]online/lib.js?ver=…

hxxps://cdns[.]ws/lib/googleanalytics.js?ver=…

hxxps://msdns[.]online/lib/mnngldr.js?ver=…

hxxps://msdns[.]online/lib/klldr.js

Attackers inject the cdjs[.]online script into either a site's WordPress database (wp_posts table) or into the theme's functions.php file, as was the case in the December attack that used the cloudflare[.]solutions site. Sinegubko also found the cdns[.]ws and msdns[.]online scripts injected into the theme's functions.php file. Besides logging keystrokes typed into any input field, the scripts load other code that causes site visitors to run JavaScript from Coinhive that uses visitors' computers to mine the cryptocurrency Monero with no warning.

The Sucuri post doesn't explicitly say how sites are getting infected. In all likelihood, the attackers are exploiting security weaknesses resulting from the use of out-of-date software.

"While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection," Sinegubko wrote. "It's possible that some of these websites didn't even notice the original infection."

People who want to clean up infected sites should follow these steps. It is critical that site operators change all site passwords since the scripts give attackers access to all the old ones.