Security researcher Scott Helme said more than 4,000 websites, including many government ones, were affected.
He said the affected code had now been disabled and visitors were no longer at risk.
The ICO said:
“We are aware of the issue and are working to resolve it.”
Mr Helme said he was alerted by a friend who had received a malware warning when he visited the ICO website.