Malicious push notification script being injected into the header. This then enables push notifications for adult material, gambling sites and antivirus that I’ve seen so far.
The script wasn’t picked up by a securi scan or by wordfence. There is another thread on this topic but it is unclear whether it was resolved.