Just because the number of drive-by cryptomining reports have slowed down doesn’t mean the practice has stopped. A security researcher has revealed that hundreds of big-name websites have been surreptitiously using visitors’ CPUs to mine Monero, and it’s all thanks to two security flaws in the Drupal content management system.

Patches for the two Drupal vulnerabilities—CVE-2018-7600 and CVE-2018-7602—were issued weeks ago but a huge number of websites have yet to apply the fixes, making them vulnerable to the 'Drupalgeddon2' remote code execution flaws.

Researcher Troy Mursch of Bad Packets Report told Ars Technica that over 400 websites had been hacked, including those belonging to Lenovo, the University of California at Los Angeles, the US National Labor Relations Board, San Diego Zoo, the Arizona Board of Behavioral Health Examiners, and the city of Marion. An extensive list can be found in this Google Docs spreadsheet.

As was the case with previous cryptojacking incidents, the attackers injected a Coinhive script to mine Monero, which is harder to trace than other cryptocurrencies.

“This is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale,” Mursch wrote. “If you’re a website operator using Drupal’s content management system, you need to update to the latest available version ASAP.”

This isn’t the only recent cryptomining attack to take advantage of Drupal. Last week, security firm Imperva reported on another campaign targeting Drupal sites. It was named “Kitty” because the miner was hidden inside a file named “me0w.js.” Instead of using Coinhive, it used a similar miner from Monero mining pool webminerpool.com. The hackers also installed a PHP-based backdoor on the sites, allowing them access even if they were updated. It’s thought the Kitty campaign could have affected thousands of websites.