Thanks for sending that over. I pulled the pastebin and can confirm what it is.
That quarantined file is the real MEGA AI plugin (mega.php, version 2.1.1). The header, the Mega namespace, the WordPress includes, and the intent runtime are all our own published code. There’s nothing injected or foreign in what Sucuri captured.
The php.spam-seo.injector.357 detection is a heuristic, not a match against known malware. It triggers on the general pattern of a plugin reading HTML/SEO markup from the database and printing it into the page head. That’s what MEGA AI does to output meta tags, verification tags, and JSON-LD schema, and it’s the same thing Yoast, Rank Math, and All in One SEO do. The scanner is reacting to the behavior, not to anything malicious in the code.
There’s no eval() in that file, no base64_decode or gzinflate obfuscation, no remote code execution, and nothing pulling in external domains. The v2 runtime referenced at the top of the file removed the older snippet mechanism, so everything now runs through fixed, validated handlers.
If you want to be completely sure the copy on your server is untouched, compare it against the official one. Download the plugin zip from https://ww.wp.xz.cn/plugins/mega-ai/ and check your mega.php against the one in the zip (md5sum or sha256sum, or your host’s file integrity tool). If they match, the file hasn’t been modified and this is a confirmed false positive. Reinstalling the plugin from the ww.wp.xz.cn directory does the same thing and gives you a clean copy either way.
I’m also happy to ask Sucuri to whitelist this for the plugin.
One thing worth checking on your end: if the scan flagged anything outside mega-ai/mega.php, like other plugins, theme files, or anything under wp-content/uploads, send me those paths. That would point to an actual compromise separate from this plugin, and I’d rather help you track that down than let this false positive bury it.
