- Client-side attacks are rapidly evolving, ranging from OAuth abuse to crypto wallet drainers
- WordPress and mobile browsers have been the primary targets
- Compliance risks are mounting under GDPR, PCI DSS 4.0.1, and CCPA
SAN FRANCISCO, July 30, 2025 (GLOBE NEWSWIRE) — cside, which specializes in securing vulnerable web dependencies, today released the Q2 2025 Client-Side Attack Report. The report reveals a sharp and concerning rise in web-based attacks targeting mobile browsers, content management systems, and vulnerable third-party JavaScript dependencies. The company’s Threat Research Team identified more than 72,000 compromised websites, including cryptocurrency platforms, e-commerce storefronts, and high-traffic media sites.
Unlike traditional server-based breaches, these attacks take place in the user’s browser. Attackers are embedding malicious scripts, hijacking OAuth flows, and deploying visually indistinguishable phishing pages to steal data and drain assets, all while bypassing backend security controls.
“These aren’t theoretical risks. They’re happening now, and they’re happening at scale,” said Himanshu Anand, a security analyst at cside who leads the Threat Research Team. “Attackers are exploiting the blind spots that traditional security tools miss: real-time browser behavior, mobile interactions, and the uncontrolled sprawl of third-party JavaScript. This quarter, we saw proof that even small gaps in client-side security can lead to major financial and compliance fallout.”
Among the key trends identified in the report:
- Mobile-first attack campaigns that deploy malicious Progressive Web Apps (PWAs), often using adult content lures.
- OAuth hijacking that abuses Google login flows to steal session tokens via WebSocket connections.
- Wallet drainer injections and credential theft enabled by SEO poisoning and fake content delivery networks.
- Cross-platform plugin exploitation through tools like ClickFix, enabling persistent payload injection across WordPress, Joomla, and custom CMSes.
The report identified 72,740 compromised websites, four brand-new attack techniques, and two major plugin-based supply chain breaches. The most affected industries included e-commerce, crypto, SMBs, and media. WordPress remains the top CMS target due to its global ubiquity and plugin fragmentation. The crypto sector, though smaller in volume, saw some of the most severe attacks, including real-world asset losses from wallet-draining campaigns. The incidents also carried regulatory implications under GDPR, PCI DSS 4.0.1, and CCPA.
To help organizations mitigate these risks, cside recommends a shift in browser-side security posture:
- Treat all third-party scripts as untrusted by default
- Deploy behavioral runtime detection to catch threats inside the live browser session
- Harden CMS platforms, particularly WordPress, against plugin-based exploits
- Develop targeted incident playbooks for Magecart-style attacks, plugin hijacking, and credential theft
- Maintain active compliance alignment with evolving standards under GDPR, PCI-DSS 4.0.1, and CCPA
Looking ahead, the report anticipates an increase in AI-generated phishing campaigns, the broader use of wallet drainers on Solana and L2 chains, and continued abuse of browser-native APIs, such as OAuth and WebSocket.
Executives, CISOs, compliance professionals, and security teams can download the full Q2 2025 Client-Side Attack Report at: https://cside.dev/blog/client-side-attack-report-q2-2025
About cside
cside is a venture-backed cybersecurity company specializing in browser-side threat detection and protection. The company’s platform provides complete visibility and control over vulnerable first- and third-party scripts running on websites, protecting sensitive visitor data while ensuring optimal website performance. cside’s innovative technology enables customers to secure their web supply chain against sophisticated attacks and streamlines compliance with regulations such as PCI DSS 4.0.1.
Contact
Bret Clement
Clement | Peterson // bret@clementpeterson.com


 
		