Metro International's US website has been hacked to serve malicious code to users, according to security firm Websense.
The news site, which is not linked to the British newspaper of the same name, is thought to have been injected with code that redirects users to a malware download, a contention Metro is said to be investigating.
Carl Leonard, senior manager of security research at Websense, said: "The rising prevalence of cybercriminals targeting news and media sites highlights that businesses cannot afford to continue to put web security on the back burner - ignorance absolutely is not bliss when it comes to cybersecurity."
A RIG exploit kit is said to be used to drop the virus, a tool that emerged this April and has previously been connected with Cryptowall ransomware.
In the last two months the United States accounted for a third of countries affected by the kit, with Canada, Australia and the UK accounting for 6% each, according to Websense.
"A compromised website courtesy of malicious actors, as is the case with Metro US, is a disaster in every organisation's book," Leonard added.
"It is therefore vital that businesses formulate a tried and trusted disaster recovery plan."
Metro has yet to reply to requests for comment.