Rapid7 says crims broke into more than 250 sites globally, including a US Senate candidate’s campaign page

Cyber baddies quietly compromised legitimate WordPress websites, including the campaign site of a US Senate candidate, turning them into launchpads for a global infostealer operation.

Researchers at Rapid7 say the scheme works by injecting malicious code into compromised sites, which then serve visitors a convincing fake Cloudflare CAPTCHA page. Instead of simply proving you're not a robot, the prompt instructs users to copy and run a command on their machine – a step that ultimately triggers the download of credential-stealing malware.

The trick works because the attack starts on websites that otherwise look perfectly legitimate. Visitors think they're just clearing yet another Cloudflare bot check – the sort that litters the modern web – when in fact they're being talked through the first step of infecting their own machine.

The technique is part of the now well-worn ClickFix social engineering playbook, in which attackers persuade victims to execute commands themselves ...