Howdy! This thread helped me find the same attack on my website. Many thanks for that.
FWIW, in my case the wp_options table option_name is “_prevtype1″.
I noticed your plugin doesn’t touch that mysql db row. Any harm in deleting it, or NOT deleting it?
Any idea of how the injection is happening yet? I’m running a minimal set of plugins, one user/admin with a very strong password… Probably coming in thru the godaddy shared server setup I’m guessing, but wondered if anybody narrowed it down to a new vulnerability?