Cryptojackers, online scripts that steal your CPU cycles to mine cryptocurrency, are spreading like wildfire. They're also showing up in a lot of unexpected places, The Register writes thousands of websites around the world were inadvertent running Coinhive's Monero miner, including many US and UK government pages.
Browsealoud was to blame, this is a plug-in that reads out webpages for blind or partially sighted people. Unfortunately, the service got hacked and started serving hidden mining code.
A list of 4,200-plus affected websites can be found here: they include The City University of New York (cuny.edu), Uncle Sam's court information portal (uscourts.gov), Lund University (lu.se), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organizations across the globe.
Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.
Texthelp, the developer of Browsealoud, addressed the issue immediately and pulled the altered code.