Threat Actors Push ClickFix Fake Browser Updates Using Stolen Credentials 

GoDaddy Security describes an active campaign where attackers install large numbers of bogus WordPress plugins (using stolen admin credentials) to inject ClickFix/ClearFake fake-browser-update JavaScript that uses blockchain smart contracts (EtherHiding) to retrieve and serve malware payloads (notably info-stealers such as Vidar and Lumma); the report provides IoCs (plugin paths, MD5/SHA256 hashes, smart contract IDs, endpoints, GitHub/BitBucket accounts) and attack-log evidence showing automated credential-based compromise across thousands of sites.