Over the last few days, visitors to thousands of websites have unwittingly earned criminals money, by running software that generates virtual currency just quietly.
Several government sites, including that of the United Kingdom Information Commissioner's Office, planted malicious code on visitors' computers. That's the official watchdog whose job it is to safeguard users' digital information, and they dished out malicious code on every page on their site.
A quick scan using a site source code search engine showed that New Zealand government and private organisation sites too serve up malicious code.
That's alarming, and the attacks sparked a warning to users and site administrators from Britain's National Cyber Security Centre, run by the Government Communications Headquarters signals intelligence spooks, that everyone needs to be careful out there.
NCSC called the attack cryptojacking, but it should really be named script-jacking. Someone swapped out the legit Browsealoud Javascript library which is used to add accessibility to websites for a malicious variant.