Yesterday, Eugen Mayer of KontextWork told me on IRC that the download archive for the QTip2 JQuery plugin had been compromised and that there are now QTip2 versions with exploit code in the wild. As discussed on Github, someone hacked the QTip2 website and added malicious code.

This can also affect Drupal users because QTip2 is a popular JQuery plugin and can be easily integrated in Drupal projects, for example with the QTip module.

So, if you’re using QTip2, especially if you downloaded the plugin between December 8th 2011 and January 10th 2012, we recommend you get a clean current version as soon as possible.