cdn.jsdeliver.net (with an e) exactly mirrors cdn.jsdelivr.net, but appends malicious code to the end of every request

here, here, here, and even on the error pages. Has jsDelivr been hacked? Looking up the url yields “GET RID OF THE FREECONTENT.DATE VIRUS”, which I’m sure are clickbait/template sites, or sometimes malware themeselves, but it’s still worrying.

Edit: I looked at the first search result, and while it advertises something that’s probably malware, it seems like it was written by hand, and talks about it being a browser hijacker, which seems somewhat accurate, given that the appended JS is linking to a JS script. Also, link to the script, gist mirror (wayback machine won’t archive it).

Edit1: I looked at #18049, and in case this is a regional issue, I’m in the Chicago area in the US.

Edit2: Added the decrypted code to the gist, which is what the script eventually evals once it atob’s a bunch of stuff.

Edit3: that script in turns links to a wasm.js (i think?) payload: link, and the mirror and decoded wasm.js are on this gist.

Edit4: It only happens on cdn.jsdeliver.net, with an e. I updated the title to match.

Edit5: I thought jsdeliver.net was just a mirror to jsdelivr.net, but I guess it’s registered by someone else, judging by a whois lookup.

So actual problem, somebody is impersonating your domain name and adding malware.

Edit6: Here’s a search for code on GitHub using the wrong domain.

Wayback machine snapshot