[P4u1]

The domain hosting one of the files seemed too legit to me, so I checked and it's an actual website of a Brazilian company,http://cjccontabil.com.br/, seems whoever built the website got a WP (free I assume)theme from somewhere which happened to include this malicious file(/wp-content/themes/Hermes/main1.js). I guess folks are downloading free stuff and hosting them at their websites without inspecting the content of all files, so if you think you're safe by just making sure your system is injection-proof, think again, are you using some theme or plugin downloaded from somewhere on the web and if so have you checked every single file included?

[OSButler]

The theme directory is a common target for code injection, as it is often set with writeable webserver-user permissions, in order to allow the admin to use the backend theme editor.

Almost all of the compromised accounts I've dealt with over the years were the result of outdated WordPress or plugin installs, where an exploit was used to upload a file to one of the commonly known writeable directories: plugins, uploads, or themes.

Most of those cases could have been prevented if the owner would have kept their installs up to date, which makes these issues so frustrating to deal with.