I never had this issue before. After the first time, I cleared my cache as I thought it may have been some weird issue but I have received it again right afterwards. It happened after I logged into my forum.
I opened the file and it seems to have some sort of gif header.
It could be injected at the server level (worth noting that I didn't see any requests for it when I loaded the page). In terms of XF, the best you can really do is ensure there aren't any unexpected files (which won't be checked by the file health check, though they won't be loaded automatically) and rebuild the master data via /install/. Ideally, you'd want to restore a backup (files and database) from prior to the issue occurring to ensure nothing is untoward.