My blog template adds a malicious link in href attribute when href is empty or not refer to any of my blog pages.
I have tried to search the script but I can't find where it's changing / adding the href.
my blog template source: pastebin
<b:widget id='HTML10' locked='false' title='MenuNav' type='HTML' version='1'>
<b:includable id='main'>
<!-- Menu -->
<nav class='header__nav' id='topnav' itemscope='itemscope' itemtype='http://schema.org/SiteNavigationElement' role='navigation'>
<button class='nav__toggle toggleClass reset' data-target='nav__menu'>
<span class='nav__toggle--icon'><span/></span>
</button>
<data:content/>
</nav><!-- .header__nav -->
</b:includable>
</b:widget>
Always search in your blog template code for external scripts that not belongs to a trusted party, usually all the inordinary behaviors happen by an external script that may injecting a malicious link or change the pages content,...etc. So avoid using free or hacked premium templates, and deal with a trusted template.
In your case I found the external script that causing the problem, search for:
<script src='https://cdn.rawgit.com/tigakoin/them/e79bc2cc/heaadss.js' type='text/javascript'/>
remove it, and Save Settings.