IRS-authorized tax return software caught serving JS malware, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware.

Security researchers state the malicious JavaScript file existed on website for weeks.

Note, this security incident specifically concerns and not identical sounding domains or IRS’ e-file infrastructure.

Just in time for tax season was caught serving malware, as spotted by multiple users and researchers. The malicious JavaScript file in question is called ‘popper.js’: serving malicious popper.js file
The ‘popper.js’ file used by across its web pages contains malware

The development comes at a crucial time when U.S. taxpayers are wrapping up their IRS tax returns before the April 18th due date.

The highlighted code above is base64-encoded, with its decoded version shown below. The code attempts to load JavaScript returned by infoamanewonliag[.]online:


The use of Math.random() at the end is likely to prevent caching and load a fresh copy of the malware—should the threat actor make any changes to it, every time is visited. At the time of writing, the endpoint was no longer up.

It was confirmed the malicious JavaScript file ‘popper.js’ was being loaded by almost every page of, at least up until April 1st. pages serving pages serving poppers.js (BleepingComputer)

Today, the file is no longer serving the malicious code.

Website ‘hijacked’ over 2 weeks ago

On March 17th, a Reddit thread surfaced where multiple users suspected the website was “hijacked.”

At the time, the website showed an SSL error message that, some suspected, appeared to be fake:

SSL error shown by
SSL error is shown by (u/SaltyPotter on Reddit)

Turns out that’s indeed the case. Researchers spotted an additional file, ‘update.js’ associated with this attack which was being served by an Amazon AWS endpoint.

As shown in the screenshot below, ‘update.js’ has the fake SSL error message present as base64-encoded HTML code (highlighted below) inside of it:

Fake SSL error message encoded as base64
Fake SSL error message which is just base64-encoded HTML (BleepingComputer)

An HTML excerpt from the decoded string generating the fake SSL error is shown below:

HTML code generating the fake SSL error message
Decoded base64 HTML code generating the fake SSL error message (BleepingComputer)

The malicious JavaScript file ‘update.js’, further attempts to prompt users to download the next stage payload, depending on whether they are using Chrome [update.exe – VirusTotal] or Firefox [installer.exe – VirusTotal]. Some antivirus products have already begun flagging these executables as trojans.

It was confirmed that these binaries connect to a Tokyo-based IP address,, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online associated with this issue.

Security research group named MalwareHunterTeamwho further analyzed these binaries, states these contain Windows botnets written in PHP—a fact the research group mocked. Additionally, they called out for leaving the malicious code on its website for weeks:

“So, the website of []… got compromised at least around the middle of March & still not cleaned,” writes MalwareHunterTeam.

Referring to a Reddit thread, they further said, “…even the payloads serving domain was mentioned 15 days ago already. How has this not got more attention yet?”

Dr. Johannes Ulrich of the SANS Institute has also released an analysis of the issue.

The full scope of this incident, including if the attack successfully infected any visitors and customers, remains yet to be learned.

As a recap, in January 2022, the LockBit ransomware gang claimed it had attacked
Source: BleepingComputer