kevingomega

Hi @bryanvandy — thanks for flagging this, and sorry for the scare. We’ve investigated.

Short version: this is a false positive from the host’s heuristic scanner, not malicious code in the MEGA AI plugin.

php.spam-seo.injector.357 is a pattern-based ClamAV signature. It fires on code that reads HTML from the database and outputs it into the page <head>. Our plugin does legitimately do that — it’s how the SEO platform injects things like verification meta tags, tracking pixels, and JSON-LD schema that you’ve approved. The scanner matches on the shape of that code, not on any actual spam or malicious content. There is no eval(), no obfuscation, no remote code execution, and no external code loading anywhere in the plugin (we removed the self-update mechanism back in v1.6.1 for exactly this kind of compliance). You can verify the distributed code yourself against the official package at https://wordpress.org/plugins/mega-ai/.

 That said, we want to be thorough about your client’s specific site, because there’s a second possibility worth ruling out: if a site is compromised through another vector (a vulnerable theme/plugin, weak admin creds, etc.), attackers commonly drop payloads into any writable plugin folder — including ours. If that happened here, the file your host “cleaned” would have been modified on your server, not shipped that way by us.

 To sort out which it is, could you share the full scan log / the exact contents your host quarantined from mega.php? That tells us immediately whether it was a heuristic hit on our legitimate code or a real injected payload on the server. In the meantime, if you want to disable all of our head injection on the site instantly, an admin can append ?mega-safe-mode=1 to any URL — that’s our built-in emergency off switch.

 Happy to take this to email if you’d prefer: support is reachable via lindsay@gomega.ai. Appreciate you raising it publicly so we could address it.