We discovered that WP-Doctor, a plugin in the WordPress repository contained malicious code. After confirming the plugin had malicious code in it, we contacted WordPress Security and they took it down.
It is important to mention that they noted they couldn’t find anywhere in the code where the malicious code was activated, so they don’t believe it was hurting the sites, but took it down until it was repaired.
We had great hope that the company would fix the issue, and everyone would be happy. Sadly, it was suspended in September, 2018 and has had no updates as of November 10th, 2019.
We suggest that you delete the plugin WP-Doctor since it still isn’t patched.