Abandoned subdomains belonging to Nvidia, Stanford University, National Public Radio, the US Centers for Disease Control and Prevention, and the federal government’s vaccine portal have been taken over to host AI-generated blogs, according to reports from 404 Media and TechCrunch. The compromised pages display sexually explicit or otherwise nonsensical headlines and funnel visitors to a spam marketing network, turning trusted domains into search-engine manipulation tools and exposing users to questionable promotions. In a separate incident, Palo Alto Networks’ Unit 42 says a campaign dubbed “JSFireTruck,” also referred to as “JSF-ck,” has injected obfuscated JavaScript into roughly 269,000 legitimate websites over the past month. The code activates when visitors arrive via search engines, redirecting them to tech-support scams, malware downloads and other illicit destinations. The script fingerprints devices and often hides behind fake CAPTCHA challenges to tailor payloads and evade detection. Security firm Silent Push links related advertising fraud to more than 4,000 domains that mimic at least 68 consumer brands. Although the two operations appear distinct, both highlight the cybersecurity risks posed by unmaintained web infrastructure and third-party code, even for prominent companies and government agencies.