UK Government websites are currently running compromised third party Javascript

Update - 15:44 on 11th February 2018

The site hosting the compromised plugin has been taken offline to mitigate the issue. The question now is how long the plugin has been compromised and what steps will be taken to ensure more serious breaches don't occur in future.

While a hidden cryptominer is a serious issue, it is relatively benign compared to something which may be stealing visitor's private information. At this time there is no suggestion that this is something that serious.


In a massive security disaster, many UK government websites are currently serving a cryptominer spiked third-party Javascript package.

The snafu was first noticed by infosec consultant Scott Helme who posted his findings on Twitter. He noticed that a plugin provided by had been compromised, the plugin is used on government sites amongst others to provide audio versions of the text on pages for those with vision or reading issues.

At the time of writing, a total of 4,275 sites are using the infected code, and at least twenty are UK government, NHS or academic sites. Other national government sites are affected in the US and New Zealand amongst others.

This situation highlights the risk in serving third party code on websites - one compromise has resulted in thousands of legitimate sites visitors being used to mine cryptocurrency against their wishes.

A full list of the sites linking to this plugin is here...

Latest Articles