It looks like https://github.com/nixawk/labs/issues/19 is being exploited like crazy right now. I was getting hits trying to exploit it every 4 hours or so, then the rate sped up for a time. Each hit was trying to download drupal.php from http://18.104.22.168.
Somebody has nulled out that file now, so infection rate will probably drop.
When you aren’t quite first into Virus Total, but not far off, and the malware author who hard-coded an IP address is still using that IP :-)
Virus Total says:
First Submission 2018-04-03 00:00:53
Last Submission 2018-04-03 22:07:38
Last Analysis 2018-04-03 22:07:38
Hopefully the IP address owner got a dozen emails already, they’re a cloud provider.