Before any of these events happened, the perpetrator had replaced jquery.js on the website with an altered version. Huge numbers of websites use jQuery, to the point that developers treat it almost as part of JavaScript's core functionality. Many of them share the same copy from a trusted server, such as
jquery.com or
googleapis.com. Others, such as this site, host their own copy.
When people are looking for malware, they often don't think of questioning jQuery. Just for that reason, it's been a popular target for years. If their anti-malware software says something is wrong in jQuery, users and even administrators might dismiss it as a false positive.
Defeating website security to infiltrate jQuery can happen in several ways. Malware may get a foothold on the site and alter jquery.js. It may then delete itself to avoid detection. Website software packages, such as plugins, may come with a version of jQuery which is already compromised. A download site may offer a malicious version, which site owners will install on their sites.
The deadliest are supply-chain attacks, where a bad version of a file gets onto a widely used distribution site for software. Even if it's caught quickly, this kind of attack can deliver malware to many sites that are eager to get the "new version." In one of the worst cases, the official site for a popular file cleaning tool held an
infected version of the software, which many users downloaded. Ironically, it's often users' zeal to stay safe with the latest updates, which puts them in danger.