Hi, the same issue here.
Last week I received a notification from google ads that my site is potentially infected. It was true.
All header.php of template files were compromised even the ones were not in use. As I share the server to host other sites, these other sites were infected as well.
Now I'm fixing the issue. I deleted the malicious code manually in every header.php file. I have looked for the code into index.php files and 404.php but no infection was found.
Every single wordpress site was infected.
I also host a Joomla site and think it was the door the malicious code took advantage of to get into the server. A number of folders and php files were created along the joomla ones. Currently I'm deleting all these folders and files and making a backup. I'm going to turn down this site for a while until I finish cleaning the other wordpress installations because there were files with cronjobs that I suspect are responsible of creating malicious code periodically.
I changed my hosting, ftp, cms passwords and hardened all options on sucuri for wordpress. Now my site appears clean.
I have been working on this issue since yesterday and everything is working fine. No malicious code was generated again.
Hope this helps! Going to keep you updated...