Two Showtime domains are currently loading and running Coinhive, a JavaScript library that mines Monero using the CPU resources of users visiting Showtime's websites.

The two domains are showtime.com and showtimeanytime.com, the latter being the official URL for the company's online video streaming service.

The main Showtime domain name, sho.com, does not include the Coinhive Monero mining script.

Showtime source code

The Monero miner was first discovered 16 hours ago, at around 17:00 ET (22:00 GMT) by a Twitter user named SkensNet.

Hack or experiment?

It is unclear if someone hacked Showtime and included the mining script without the company's knowledge.

Showtime did not respond to a request for comment from Bleeping Computer in time for this article's publication.

It could also be that Showtime is loading the script on purpose, as part of an experiment. This is the most likely explanation, as the setThrottle value is 0.97, meaning the mining script will remain dormant for 97% of the time. A hacker, knowing his intrusion will likely be detected, would usually set a small throttle value and mine as much Monero before getting discovered.

Coinhive has been advertised as a technology that could replace ads by allowing site owners to mine for the Monero cryptocurrency. The technology is very controversial as it uses the site visitor's resources to mine Monero, driving CPU usage through the roof.

Showtime miner

Showtime miner

Showtime miner

The Pirate Bay previously experimented with Coinhive two weeks ago, but user response was mixed, with the majority not liking the idea that The Pirate Bay is hijacking their CPUs and slowing down their PCs.

A recent report has calculated that a site like The Pirate Bay could make around $12,000 per month by mining Monero in the background.

Seeing that The Pirate Bay is ranked #87 in the Alexa traffic ranking, while Showtime is ranked ~#9,500, Showtime's profits would be even smaller.

Coinhive increasingly adopted by malware devs

Coinhive, as a technology, is only ten days old, being officially launched on September 14.

Despite this, Coinhive has been recently adopted by a large number of malware operations, such as malvertisers, adware developers, rogue Chrome extensions, and website hackers, who secretly load the code in a page's background and make money off unsuspecting users.

At least two ad blockers have added support for blocking Coinhive's JS library — AdBlock Plus and AdGuard — and developers have also put together Chrome extensions that terminate anything that looks like Coinhive's mining script — AntiMiner, No Coin, and minerBlock.

UPDATE [September 25, 12:55 ET]: The Coinhive mining scripts have been removed from the Showtime domains. Showtime still hasn't answered Bleeping Computer's request for comment.

h/t @bad_packets