WordPress sites have been the target of a highly active malicious campaign that infects them with a malware dubbed WP-VCD that hides in plain sight and quickly spreads to the entire website. The group of hackers behind it have also made sure that their malicious payload is also very hard to get rid of once it manages to compromise a site. The malware is also designed to scan its way through the hosting server and infect any other WordPress sites it finds. Wordfence found more than one hundred infections while monitoring the latest infections.
Source: https://www.bleepingcomputer.com/news/security/wordpress-admins-infect-their-sites-with-wp-vcd-via-pirated-plugins/