Impacted websites, whose initial means of compromise remains uncertain, had a script retrieved from the wp3[.]xyz domain enabling the establishment of a deceptive admin account before installing an information-stealing plugin targeting admin credentials, logs, and other sensitive details, a report from c/side, a webscript security firm, revealed.