WordPress site owners should treat the new Steam Community profile abuse reported by GoDaddy Security as a backdoor cleanup problem, not as a gaming-platform issue. Researchers say the malware hides command-and-control data inside Steam profile comments with invisible Unicode characters, decodes that data inside WordPress, injects an external JavaScript file on public pages, and keeps a cookie-authenticated server-side backdoor for changing plugin and theme files.
The useful takeaway is narrow: if a compromised WordPress site loads a strange script from hello-mywordl[.]info, contains a suspicious script handle such as asahi-jquery-min-bundle, or has obfuscated PHP that fetches Steam profile comments, the cleanup has to include both visitor-facing JavaScript and server-side file integrity. Removing only the visible script can leave the attacker with a way back in.
What GoDaddy found
GoDaddy Security says it first detected the campaign in July 2025 and has seen the malware on approximately 1,980 WordPress sites. The technique is unusual because the malware does not rely only on an attacker-controlled command server. It fetches Steam Community profile pages, extracts profile-comment content, removes visible decoy text, and decodes hidden data from invisible Unicode characters such as zero-width joiners and related code points.
After decoding, the WordPress-side malware can build a URL for an injected JavaScript file. In GoDaddy’s sample, the decoded URL pointed to hello-mywordl[.]info/js/lodash[.]core[.]min[.]js, a name that imitates a common JavaScript library. The malware also uses normal-looking WordPress APIs and randomized function names, so a quick search for a single obvious string may miss it.
| Clue | Why it matters |
|---|---|
hello-mywordl[.]info |
Observed external JavaScript host in the GoDaddy analysis. Check page source, database content, theme files, plugin files, and server logs. |
asahi-jquery-min-bundle |
Script handle used to make a malicious enqueue look like a normal JavaScript bundle. |
| Steam profile comment fetching | Unexpected requests to Steam Community from WordPress PHP code can indicate the hidden C2 retrieval stage. |
| Invisible Unicode sequences | Zero-width characters can carry encoded data while the visible comment text looks harmless. |
| POST requests with unusual cookies | GoDaddy describes a cookie-authenticated backdoor path used for keepalive and code-update behavior. |
Who needs to check
The highest-risk group is anyone running WordPress sites where unknown plugins, old nulled themes, abandoned custom code, weak admin credentials, or previous malware cleanup work already created uncertainty. Shared-hosting users should also ask the host to review file modification history and outbound requests, because the malicious PHP can sit inside plugin or theme code while the public symptom appears only as a loaded script.
For visitors, the practical risk depends on what the injected JavaScript serves at the time they load the page. A compromised site can become a landing point for redirects, fake verification prompts, credential phishing, or malware delivery. That overlaps with earlier poisoned-site and ClickFix incidents, but this campaign’s distinctive sign is the Steam-profile comment channel used to hide instructions.
What to do now
- Search web server logs, cached HTML, and page source for
hello-mywordl.info,lodash.core.min.js, and suspicious script handles that imitate common libraries. - Review recently modified theme and plugin PHP files, especially code that hooks into
wp_enqueue_scripts,template_redirect, or file-writing functions. - Look for PHP that fetches Steam Community profile pages or processes invisible Unicode characters. That behavior is not normal for ordinary WordPress plugins.
- Restore core, plugin, and theme files from clean vendor sources where possible. Do not only delete the injected JavaScript URL if the server-side backdoor remains.
- Rotate WordPress administrator passwords, hosting panel passwords, SFTP/SSH credentials, database passwords, and API keys after the file system is clean.
- Disable dashboard file editing with
DISALLOW_FILE_EDIT, remove unused plugins and themes, and tighten file permissions according to WordPress hardening guidance. - Scan the administrator workstation if it recently uploaded plugins, edited theme files, or stored credentials. Gridinsoft Anti-Malware can help check a Windows admin PC for stealers or backdoors before credentials are reused.
- Use Gridinsoft Online Virus Scanner for suspicious files and Gridinsoft URL Scanner to check affected domains after cleanup.
If your site recently showed fake verification pages or malicious redirects, compare this case with ClickFix WordPress attacks that pushed Vidar Stealer and Ghost CMS ClickFix poisoning. For account-level WordPress risks, also see GoDaddy ManageWP phishing ads targeting WordPress admins.
FAQ
Does this mean Steam accounts are hacked?
No. The reported technique abuses public Steam Community profile comments as a place to hide encoded instructions. The risk described here is to compromised WordPress sites and their visitors, not to ordinary Steam users because they have a Steam account.
Is deleting the external JavaScript enough?
No. GoDaddy describes both client-side script injection and a server-side backdoor. If the PHP backdoor remains in a plugin or theme file, the attacker may be able to change code again.
What should I check first on a small WordPress site?
Start with page source and server logs for hello-mywordl.info, then review recently modified plugin/theme files and any PHP that unexpectedly fetches Steam Community pages or uses invisible Unicode decoding.
References
- GoDaddy Security. “Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations.” GoDaddy Blog, accessed June 2, 2026. https://www.godaddy.com/resources/news/malware-targeting-wordpress-abuses-steam-community-profiles
- WordPress.org. “Hardening WordPress.” WordPress Advanced Administration Handbook, accessed June 2, 2026. https://developer.wordpress.org/advanced-administration/security/hardening/
