According to a Sucuri blog post published on Tuesday, the malicious script – discovered during an incident response investigation – included the fake, malicious domain "code.wordprssapi[.]com", where users' cookie data was sent. (Note the missing "e" in "wordprssapi".) Hackers used a typosquatting strategy to create a domain that looked very similar to that a real, legitimate web service in order to go unnoticed by webmasters. (As it so happens, the properly spelled "code.wordpressapi[.]com" has nothing to do with WordPress either, Sucuri notes.)
Regardless of the legitimacy of the domain referenced in the script, the act of sending cookies to another domain is "always a red flag," Sucuri noted, because "Cookies contain a wealth of private information that should not be shared."