A recent supply chain attack has compromised thousands of e-commerce websites by exploiting a widely used third-party reviews widget. Cybercriminals associated with the SmartApeSG campaign injected malicious JavaScript into the Okendo Reviews widget, a platform utilized by over 18,000 brands globally, to distribute malware to unsuspecting visitors.
The attack operated covertly, with visitors to affected online stores unaware that a script running on the page was scanning their systems and preparing to deliver malicious content. The Okendo widget is typically embedded on high-traffic pages, including homepages, product pages, and review submission forms, making it an ideal target for attackers aiming to reach a broad audience.
Security analysts from Zscaler ThreatLabz first detected this activity on May 14, 2026, noting an unusual surge in traffic linked to the SmartApeSG threat actor. Their investigation revealed malicious code concealed within the legitimate widget script, indicating a clear supply chain compromise capable of affecting any site using the widget.
SmartApeSG, also known as ZPHP and HANEYMANEY, has a history of delivering dangerous tools such as NetSupport RAT, Remcos RAT, StealC, and Sectop RAT. These programs enable attackers to remotely control victims’ computers or steal sensitive data like passwords and financial credentials.
Upon discovery, ThreatLabz reported the incident to Okendo, which promptly restored the widget script to a clean state, halting the active threat. However, the period during which the malicious script was active may have exposed a significant number of visitors across numerous websites.
Attack Methodology
The attackers strategically targeted a widely used third-party widget to extend their reach without breaching individual sites. The malicious JavaScript acted as a staged loader, executing actions step by step, checking the environment before fetching additional content.
The script employed browser-based tracking through localStorage to prevent repeated execution on the same device. It also analyzed the visitor’s User-Agent string to filter out mobile users and focus on desktops, as later stages of the attack relied on Windows-based interactions.
Once these checks were satisfied, the script used an XOR-based decoding routine to reconstruct a hidden URL, which it then loaded as a new script element to fetch the next stage. Victims who passed these filters were presented with a fake CAPTCHA or verification screen, a technique known as ClickFix. These prompts instructed users to open a downloaded file, leading to the installation of malware.
Implications and Recommendations
This incident underscores the critical importance of securing third-party components in the software supply chain. Organizations must rigorously vet and monitor the security of external scripts and widgets integrated into their websites. Regular audits, prompt patching, and collaboration with security researchers are essential to mitigate such risks. Users should remain vigilant, especially when prompted to download and execute files from unfamiliar sources, and ensure their systems are equipped with up-to-date security measures.
