Security researchers have spotted counterfeit versions of the jQuery Migrate plugin injected on dozens of websites which contains obfuscated code to load malware. Over 7.2 million websites use the plugin, which explains why attackers would disguise their malware under this popular plugin’s name. These malicious files replace the original, legitimate files present at./WP-includes/js/jquery/ on these websites, which is the directory where WordPress keeps JavaScript files. The code has references to the WordPress administration page for creating new users.
Source: https://www.bleepingcomputer.com/news/security/fake-jquery-files-infect-wordpress-sites-with-malware/