SmartApeSG Compromises Okendo Reviews Widget: Supply-Chain Attack Analysis

In a sophisticated supply-chain maneuver, the threat actor known as SmartApeSG successfully compromised the Okendo Reviews widget, leveraging a trusted third-party dependency to distribute staged JavaScript loaders across a massive e-commerce footprint. Because Okendo’s client-facing review widget is integrated into more than 18,000 brands—frequently appearing on critical high-traffic surfaces like homepages and product pages—the injection created significant downstream exposure for any merchant utilizing the contaminated script.

Upon discovery by ThreatLabz, the incident was reported to Okendo, who subsequently confirmed the breach and restored the widget to a verified clean state.

Technical Analysis: Stealth-Oriented Execution

A forensic inspection of the injected payload reveals that SmartApeSG did not opt for a loud, immediate exploit. Instead, they deployed a “low-noise” staged loader designed to bypass traditional heuristic detection. The JavaScript payload begins with a series of environment and execution-control checks intended to sanitize the target list and ensure the payload only fires on lucrative, high-value targets.

• User-Agent Filtering: The script selectively targets desktop environments while explicitly filtering out most mobile clients. This behavior aligns with the later-stage ClickFix-style workflows, which rely heavily on desktop-specific interaction patterns.
• State Persistence: To evade detection by security researchers monitoring for repetitive anomalous behavior, the loader utilizes localStorage to store a timestamped execution marker. This effectively “short-circuits” subsequent activations, ensuring the script remains dormant on a single device after the initial hit.

Figure 1: SmartApeSG loader workflow overview (Source: Zscaler).

Deobfuscation and Dynamic Payload Delivery

The core of the loader’s stealth lies in how it handles its Command and Control (C2) communications. Rather than utilizing cleartext URLs, the script employs an XOR-style deobfuscation process. At runtime, the script decodes fragmented hex strings and assembles a randomized eight-character token to construct the final retrieval path.

Figure 2: Malicious SmartApeSG JavaScript code injected into the Okendo Reviews script (Source: Zscaler).

Once the environment is deemed favorable, the loader dynamically injects a new <script> element into the DOM to fetch the next-stage payload. This staged retrieval model provides the attackers with immense operational flexibility; they can rotate their backend infrastructure or change the second-stage payload without ever needing to modify the primary widget code distributed across thousands of client sites.

Following the initial infection, the chain transitions from technical stealth to social engineering. ThreatLabz observed the later stages presenting victims with fraudulent CAPTCHA prompts or “system verification” alerts. These prompts trick users into executing commands via the Windows Run dialog, which ultimately triggers the download of PowerShell or HTA-based malware.

Historically, SmartApeSG has been linked to the deployment of potent malware families, including NetSupport and Remcos (Remote Access Trojans), as well as StealC (an information stealer). This campaign follows an established pattern of high-impact, multi-stage delivery.

Impact and Exposure Scale

The scale of this compromise is vast. During the observation window, the malicious widget was identified on sites ranging from mid-market retailers to enterprise-level e-commerce platforms. Traffic telemetry suggests that impacted properties saw monthly visits ranging from 150,000 to several million. In one notable instance, a major U.S. retail brand with approximately 7 million monthly visits was identified in the telemetry.

Figure 3: SmartApeSG blocks (on a log scale) in the Zscaler cloud in May 2026 (Source: Zscaler).

The effectiveness of the attack was underscored by a massive spike in detections on May 14, 2026, when Zscaler recorded nearly 15,000 blocks in a single 24-hour period.

Defensive Recommendations

This incident serves as a stark reminder of the inherent risks associated with third-party dependencies. To mitigate the risk of similar supply-chain compromises, organizations should adopt the following posture:

• Implement Integrity Controls: Utilize Subresource Integrity (SRI) hashes to ensure that fetched scripts have not been altered.
• Enforce Content Security Policy (CSP): Use CSP headers to restrict the domains from which scripts can be loaded and prevent unauthorized dynamic script injection.
• Behavioral Monitoring: Deploy endpoint and network detection solutions capable of identifying runtime string deobfuscation, suspicious localStorage manipulation, and staged script loading.
• Vendor Governance: Require third-party providers to demonstrate robust integrity monitoring, rapid rollback capabilities, and transparent incident disclosure protocols.

Indicators of Compromise (IOCs)

Note: Domains are intentionally defanged (e.g., [.]) to prevent accidental resolution.