Nearly 270,000 websites have been compromised with malicious JavaScript injections obfuscated using a unique method known as “JSF-ck,” Palo Alto Networks’ Unit 42 revealed Thursday.JSF-ck uses only six ASCII characters to produce working JavaScript code — opening and closing parenthesis, opening and closing brackets, exclamation point and dollar sign. Due to the uncensored profanity in the method’s original name, Unit 42 refers to the technique as “JSFireTruck.”The technique relies on JavaScript’s type coercion, where data types are automatically converted to resolve operations between mismatched data types. For example, when adding a string and a number, the number is automatically converted to a string (“1” + 1 becomes the string “11”).JSFireTruck leverages type coercion to encode numbers and letters using crafted combinations of the six aforementioned characters.As Unit 42 explains, +[] becomes the number zero because JavaScript converts the empty array [] into the value zero when preceded by a plus sign. To produce the number one, JSFireTruck uses +!![], where the two exclamation points convert the empty array to the Boolean value of true, which becomes the value one when preceded by a plus sign.Any other number can be produced by adding together multiple instances of +!![]. The method encodes letters by using type coercion to produce strings (ex. ![]+[] becomes the string “False”) and using offsets to select specific letters. Therefore (![]+[])[+!![]] becomes the letter “a” by selecting the first offset of the “False” string (where +!![] represents the number one, as mentioned above).Code obfuscated using JSFireTruck is extremely lengthy, and its length and unusual appearance make it easy to detect but difficult to analyze without the use of automated tools, Unit 42 explained. The researchers used the free public “UnJSF-ck” tool (profanity censored) to decode scripts found on the compromised websites. The attackers in the campaign discovered by Unit 42 used a combination of JSFireTruck and other techniques. For example, in one case, deobfuscating the code revealed more obfuscated code, where values were extracted one-by-one from an array to reconstruct the code. The scripts also included combinations of obfuscated and unobfuscated expressions.The malicious scripts check whether the user was referred by a search engine, and if so, adds an iframe displaying the attacker’s site (or a file sharing site hosting a malicious payload), which covers the entire page so the user can only interact with the content in the iframe.Unit 42 said the malicious redirects could potentially lead to malware downloads or phishing, or may be used to hijack web traffic for ad monetization purposes. The JSF-ck-obfuscated injections first spiked on April 12, 2025, affecting more than 200,000 sites within a period of about two weeks, according to Unit 42’s telemetry.“Website administrators must keep their web servers up to date with the latest security updates, and administrators should also analyze their web servers for any signs of infection or compromise,” the Unit 42 researchers concluded.Another malicious campaign relying on unique obfuscation techniques was recently discovered by Veracode, which reported that a malicious npm package used at least seven different obfuscation methods to hide its payload. The first phase of this npm attack also used type coercion to hide strings.
DevOps, Threat Intelligence
270K websites injected with ‘JSF-ck’ obfuscated code
A piece of malicious JavaScript code partially obfuscated using “JSF-ck.” (Credit: Palo Alto Networks Unit 42)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds