There’s been a recent mass infection and attack in WordPress self-hosted blogs affecting the TimThumb.php, l10n.js, and WordPress core files in the “/wp-includes/js” folder.