Weird code gets added to messages - What does it mean?

Hi there,

I recognized that some wired code gets added to some of my messages. For example when I contacted a support team from a WP Plugin then the code gets added on top. Also it gets added inside the WP Elementor Plugin, when I will edit some text. And finally it is visible on top of a form I created in Wordpress.

This is the code:

var spector; var captureOnLoad = false; var captureOffScreen = false; window.__SPECTOR_Canvases = []; (function() { var __SPECTOR_Origin_EXTENSION_GetContext = HTMLCanvasElement.prototype.getContext; HTMLCanvasElement.prototype.__SPECTOR_Origin_EXTENSION_GetContext = __SPECTOR_Origin_EXTENSION_GetContext; if (typeof OffscreenCanvas !== 'undefined') { var __SPECTOR_Origin_EXTENSION_OffscreenGetContext = OffscreenCanvas.prototype.getContext; OffscreenCanvas.prototype.__SPECTOR_Origin_EXTENSION_OffscreenGetContext = __SPECTOR_Origin_EXTENSION_OffscreenGetContext; OffscreenCanvas.prototype.getContext = function () { var context = null; if (!arguments.length) { return context; } if (arguments.length === 1) { context = this.__SPECTOR_Origin_EXTENSION_OffscreenGetContext(arguments[0]); if (context === null) { return context; } } else if (arguments.length === 2) { context = this.__SPECTOR_Origin_EXTENSION_OffscreenGetContext(arguments[0], arguments[1]); if (context === null) { return context; } } var contextNames = ["webgl", "experimental-webgl", "webgl2", "experimental-webgl2"]; if (contextNames.indexOf(arguments[0]) !== -1) { // context.canvas.setAttribute("__spector_context_type", arguments[0]); // Notify the page a canvas is available. var myEvent = new CustomEvent("SpectorWebGLCanvasAvailableEvent"); document.dispatchEvent(myEvent); this.id = "Offscreen"; window.__SPECTOR_Canvases.push(this); if (captureOnLoad) { // Ensures canvas is in the dom to capture the one we are currently tracking. if (false) { spector.captureContext(context, 500, false, false); captureOnLoad = false; } } } return context; } } HTMLCanvasElement.prototype.getContext = function () { var context = null; if (!arguments.length) { return context; } if (arguments.length === 1) { context = this.__SPECTOR_Origin_EXTENSION_GetContext(arguments[0]); if (context === null) { return context; } } else if (arguments.length === 2) { context = this.__SPECTOR_Origin_EXTENSION_GetContext(arguments[0], arguments[1]); if (context === null) { return context; } } var contextNames = ["webgl", "experimental-webgl", "webgl2", "experimental-webgl2"]; if (contextNames.indexOf(arguments[0]) !== -1) { context.canvas.setAttribute("__spector_context_type", arguments[0]); // Notify the page a canvas is available. var myEvent = new CustomEvent("SpectorWebGLCanvasAvailableEvent"); document.dispatchEvent(myEvent); if (captureOffScreen) { var found = false; for (var i = 0; i < window.__SPECTOR_Canvases.length; i++) { if (window.__SPECTOR_Canvases[i] === this) { found = true; break; } } if (!found) { window.__SPECTOR_Canvases.push(this); } } if (captureOnLoad) { // Ensures canvas is in the dom to capture the one we are currently tracking. if (this.parentElement || false) { spector.captureContext(context, 500, false, false); captureOnLoad = false; } } } return context; } })()

I also send a screenrecoding from the code, so that you can read it better:

Is anyone familiar with this code?

What does it mean and how can I get rid of it?

Thanks for help!

Does no one have any idea what this code does and why it keeps popping up?

Thanks a lot for answers!

Do you have any plugins/extensions on your browser?

@skaparate Thanks for your reply! I have plugins on some browsers, but I tested it with a few different browser and some of them have no plugins at all.

You can check the issue here. There you can see the weird code that gets added to the form. There are also some errors in the console, but I am not sure how to solve them.

Thanks for help!!

I’m not entirely sure, but I’m inclined to say it’s some kind of virus.

Can you scan your website for virus? WordPress, specially if you allow people to upload files to it, can be very vulnerable.

You could search the website files (WordPress core files) for a specific string, like this: HTMLCanvasElement.prototype.__SPECTOR_Origin_EXTENSION_GetContext

That could give you some idea of what is injecting that code. If you download the files, scan them with an antivirus and make sure they’re isolated (use sandboxie, for instance, or a VM without access to your Host OS)

1 Like

@skaparate Thanks for your reply!

Actually it was some kind of malware and another Dev helped me to get rid of it. However it is still somewhere inside the system because I can see that similar code gets automatically added into Elementor (page builder plugin).

I dont have any idea what is the purpose of this virus and can it actually effect my operating system as well? I also dont know how to delete this virus completely.

For now the website looks normal, I just get this annoying code added into a text editor in Wordpress. Is there anything I can do without spending days to fix it?

Btw, there is no upload option on the Website, but there are some contact forms without a reCapture, probably the virus was injected through a contact form…

Right, I can see from another thread you’ve made that you’re using threejs. Are you using the Spector.js extension in your browser to inspect that or have you installed it at some point (there are Chrome & Firefox plugins)?

That’s not a virus, it’s just the error messages from the Spector.js extension when it tries to access something that isn’t a WebGL scene. IIRC (I used it when I was doing some threejs and babylonjs stuff) it interacts really badly with some website code, I think to do with how it sends messages/events

The extension is emitting events. Some textarea or whatever has an event listener attached to it that is picking up those events. That’s all. Something, either Spector or the WP plugin (edit: TinyMCE is the common thing that is picking the events up here) , is maybe not that cleverly coded :man_shrugging:t3:. I would very strongly suspect (from using it) that the issue is Spector but I dunno

Just disable the extension and the messages will go away

Google will give you lots of results, but basically every single one will be when this has happened to someone when they’ve been writing a WP or a forum post and they’ve hit publish without realising the post is basically all that garbage