Skip to content
SuperMoney logo
SuperMoney logo

JS Malware Discovered in IRS-Authorized Tax Return Software

Last updated 04/05/2023 by

The for-profit tax company authorized by the IRS,, was distributing JavaScript malware during tax season through a malicious file. Security researchers confirmed that the file was present on the website for several weeks. The full scope of the incident remains unclear, but it raises concerns about the security and oversight of IRS-authorized third-party tax software providers.
The IRS-authorized e-file software provider,, which is commonly used for filing tax returns, has been found to be distributing JavaScript malware.
According to security researchers, the malicious JavaScript file had been present on the website for several weeks. This was confirmed by BleepingComputer, who verified the existence of the specific malicious JavaScript file during that period.

Compare Tax Preparation Services

Compare multiple vetted providers. Discover your best option.
Compare Options

How did this happen?

According to BleepingComputer, — a for-profit tax company authorized by the IRS — was found to be distributing malware through a malicious JavaScript file during the tax season. The file, named “popper.js,” distributed malware to users by displaying a dummy error page and prompting them to download a browser update, which was actually a Windows-based botnet program.
Further investigation into the issue revealed that “popper.js” was being loaded by almost every page of until April 1st. The code attempted to load JavaScript that returned malware, using Math.random() to prevent caching and ensure a fresh copy of the malware was loaded each time the website was visited.
On March 17th, multiple users suspected that the website had been “hijacked.” BleepingComputer analyzed a sample of the PHP script seen by MalwareHunterTeam and found that it was backdoor malware that allowed the attacker to remotely access an infected device.
While some antivirus programs detected the issue, the file remained on the website as early as March 17th. Despite being alerted by multiple parties, BleepingComputer reported that has yet to make a statement on the matter.

What now?

It’s still unclear whether the attack was successful in infecting any visitors and customers. The incident highlights the need for individuals and businesses to take precautions and protect themselves from cyber threats, especially during tax season.
Though the full scope of the incident remains unclear, it serves as a reminder to be vigilant and stay up to date on the latest security measures. It also raises questions about the security and oversight of IRS-authorized third-party tax software providers.
IMPORTANT! While this is a significant concern, taxpayers must keep in mind that this security breach only affects No attacks or risks have been found in the IRS e-file infrastructure or any domains with similar names.

SuperMoney may receive compensation from some or all of the companies featured, and the order of results are influenced by advertising bids, with exception for mortgage and home lending related products. Learn more

Loading results ...

Share this post:

You might also like