E-commerce Sites Targeted by Malware Through Okendo Widget

An alarming supply chain attack has compromised thousands of e-commerce websites by turning a widely used third-party reviews widget into a vehicle for malware distribution. The attack leveraged the Okendo Reviews widget, a service utilized by more than 18,000 brands globally, to discreetly spread harmful software to unsuspecting users.

The attackers behind the SmartApeSG campaign managed to inject malicious JavaScript into the Okendo widget. This allowed them to deliver malware to visitors of affected online stores without detection. The script, embedded on high-traffic pages such as homepages and product listings, served as an ideal entry point for compromising a large audience.

Discovery and Response

The suspicious activity was first detected on May 14, 2026, by analysts at Zscaler ThreatLabz. They observed a surge in traffic associated with the SmartApeSG threat actor, prompting further investigation. The analysis revealed that the widget’s legitimate script contained hidden malicious code, highlighting a significant supply chain vulnerability.

SmartApeSG, also known as ZPHP and HANEYMANEY, is notorious for previous campaigns involving tools like NetSupport RAT and Remcos RAT. These tools enable attackers to remotely control victim computers or steal sensitive data. Upon discovering the breach, Zscaler promptly informed Okendo, which swiftly rectified the issue by cleaning the compromised script.

Technical Breakdown of the Attack

The attackers strategically targeted the Okendo widget to maximize their reach. By compromising a single, widely-used service instead of individual websites, they extended their impact significantly. The malicious script acted as a staged loader, executing its tasks incrementally and checking the environment before proceeding.

To avoid repeated execution, the script utilized browser-based tracking and filtered out mobile users, focusing on desktops due to the reliance on Windows-based interactions. Once the checks were satisfied, the script used an XOR-based method to decode and load further malicious content.

Scale and Impact of the Campaign

The attack’s scale was substantial, with the compromised widget appearing on websites of various sizes, from mid-tier online stores to major retail brands. Affected sites reported traffic ranging from 150,000 to several million monthly visitors, with one U.S. retail brand alone receiving about 7 million visitors monthly.

On the peak day of May 14, Zscaler recorded nearly 15,000 blocks related to SmartApeSG, indicating the campaign’s intensity. Although these figures represent blocked attempts rather than confirmed infections, they underscore the rapid spread potential of a supply chain attack when a popular vendor is compromised.

Website owners relying on third-party scripts like Okendo are advised to regularly audit their integrations and remain vigilant for any anomalies in their website behavior.

Stay updated with the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for more instant updates.