Title: Plugin Injected with Malware? Last modified: June 8, 2026 --- # Plugin Injected with Malware? * [bryanvandy](https://wordpress.org/support/users/bryanvandy/) * (@bryanvandy) * [6 days, 22 hours ago](https://wordpress.org/support/topic/plugin-injected-with-malware/) * A client installed this on their website 2 days ago and my host had to clean the site for maleware and the infected file was in the plugin. Beware when using this, plugin author please investigate. Thank you! * CLEARED: Cleared malware from file: ./wp-content/plugins/mega-ai/mega.php Details: php.spam-seo.injector.357 Viewing 2 replies - 1 through 2 (of 2 total) * [kevingomega](https://wordpress.org/support/users/kevingomega/) * (@kevingomega) * [5 days, 18 hours ago](https://wordpress.org/support/topic/plugin-injected-with-malware/#post-18933653) * Hi [@bryanvandy](https://wordpress.org/support/users/bryanvandy/) — thanks for flagging this, and sorry for the scare. We’ve investigated. * **Short version: this is a false positive from the host’s heuristic scanner, not malicious code in the MEGA AI plugin.** * `php.spam-seo.injector.357` is a _pattern-based_ ClamAV signature. It fires on code that reads HTML from the database and outputs it into the page ``. Our plugin does legitimately do that — it’s how the SEO platform injects things like verification meta tags, tracking pixels, and JSON-LD schema that you’ve approved. The scanner matches on the _shape_ of that code, not on any actual spam or malicious content. There is no `eval()`, no obfuscation, no remote code execution, and no external code loading anywhere in the plugin (we removed the self-update mechanism back in v1.6.1 for exactly this kind of compliance). You can verify the distributed code yourself against the official package at [https://wordpress.org/plugins/mega-ai/](https://wordpress.org/plugins/mega-ai/). *  That said, we want to be thorough about _your client’s specific site_, because there’s a second possibility worth ruling out: if a site is compromised through another vector (a vulnerable theme/plugin, weak admin creds, etc.), attackers commonly drop payloads into _any_ writable plugin folder — including ours. If that happened here, the file your host “cleaned” would have been modified on your server, not shipped that way by us. *  To sort out which it is, could you share **the full scan log / the exact contents your host quarantined from **`**mega.php**`? That tells us immediately whether it was a heuristic hit on our legitimate code or a real injected payload on the server. In the meantime, if you want to disable all of our head injection on the site instantly, an admin can append `?mega-safe-mode=1` to any URL — that’s our built-in emergency off switch. *  Happy to take this to email if you’d prefer: support is reachable via [lindsay@gomega.ai](https://wordpress.org/support/topic/plugin-injected-with-malware/lindsay@gomega.ai?output_format=md). Appreciate you raising it publicly so we could address it. * Thread Starter [bryanvandy](https://wordpress.org/support/users/bryanvandy/) * (@bryanvandy) * [5 days, 17 hours ago](https://wordpress.org/support/topic/plugin-injected-with-malware/#post-18933677) * Thank you Kevin! I will follow up with my host to see if this was falsely marked or infected from another source. Viewing 2 replies - 1 through 2 (of 2 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fplugin-injected-with-malware%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/mega-ai/assets/icon-128x128.png?rev=3426527) * [MEGA AI](https://wordpress.org/plugins/mega-ai/) * [Frequently Asked Questions](https://wordpress.org/plugins/mega-ai/#faq) * [Support Threads](https://wordpress.org/support/plugin/mega-ai/) * [Active Topics](https://wordpress.org/support/plugin/mega-ai/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/mega-ai/unresolved/) * [Reviews](https://wordpress.org/support/plugin/mega-ai/reviews/) * 2 replies * 2 participants * Last reply from: [bryanvandy](https://wordpress.org/support/users/bryanvandy/) * Last activity: [5 days, 17 hours ago](https://wordpress.org/support/topic/plugin-injected-with-malware/#post-18933677) * Status: not resolved