A list of 4,200-plus affected websites can be found here: they include The City University of NY (cuny.edu), Uncle Sam's court information portal (uscourts.gov), Lund University (lu.se), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other.gov.uk and.gov.au sites, UK NHS services, and other organisations across the globe.
Scott Helme, an IT security consultant, raised the alarm about the malware after he received a message from a friend whose antivirus software had detected an issue after visiting a United Kingdom government website.
According to the Register, all of the afflicted websites ran British tech company Texthelp's Browsealoud plugin, which reads out websites for people with visual impairments like full or partial blindness or conditions like dyslexia.
"If you want to load a crypto miner on 1000+ websites you don't attack 1000+ websites, you attack the 1 website that they all load content from", Helme said.
Texthelp, which operates the compromised BrowserAloud plugin, confirmed to Sky News that their software was hacked at 11.14am on Sunday and remained active for four hours.
Some of the affected websites have been taken offline as Whitehall IT experts battle to defeat the code.
This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.
"Texthelp can report that no customer data has been accessed or lost". The company added that "This was a criminal act and a thorough investigation is now underway" by an independent security company. He said: Every single website I run has an "Integrity Attribute", which is a tiny change in how the script is loaded but is there because I'm anxious about exactly this type of thing happening.
Information security blogger Scott Helme discovered the hack via the UK Information Commissioner's Office website on the weekend. The UK's National Cyber Security Centre is investigating the incident.
The affected service has been taken offline, largely mitigating the issue.
The website for the parliament of Victoria, and the Queensland government's legislation website, were among thousands of websites that fell victim to a cryptocurrency hack that hijacked their websites to use them to mine for cryptocurrency. At this stage there is nothing to suggest that members of the public are at risk.