Hackers Exploit Okendo Reviews Script to Spread Smart
A new supply chain attack has exposed thousands of e-commerce websites to risk, leveraging a popular third-party reviews widget as a stealthy malware delivery mechanism. This campaign, detailed in a...
A new supply chain attack has exposed thousands of e-commerce websites to risk, leveraging a popular third-party reviews widget as a stealthy malware delivery mechanism. This campaign, detailed in a Threat actors behind the SmartApeSG campaign injected malicious JavaScript into the Okendo Reviews widget, a platform trusted by more than 18,000 brands worldwide, to push malware to unsuspecting visitors.
The attack unfolded silently, meaning visitors to affected online stores had no idea that a script running on the page was scanning their system and preparing to serve malicious content.
The Okendo widget is typically embedded on high-traffic pages, including store homepages, product pages, and review submission forms, making it an ideal point of compromise for attackers looking to reach a wide audience.
Analysts from Zscaler ThreatLabz first spotted this activity on May 14, 2026, when they noticed an unusual surge in traffic linked to the SmartApeSG threat actor.
Zscaler said in a report shared with Cyber Security News (CSN) that their team discovered malicious code hidden inside the legitimate widget script, and that the attack represented a clear supply chain compromise capable of affecting any site using the widget.
SmartApeSG, also tracked under the names ZPHP and HANEYMANEY, is not a new name in the threat landscape.
The group has been linked to past campaigns that delivered dangerous tools including NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.
These are programs that allow attackers to take control of a victim’s computer remotely or steal sensitive data like passwords and financial credentials.
Following the discovery, ThreatLabz reported the incident to Okendo directly, and the company confirmed it was aware of the issue. Okendo acted quickly and restored the widget script to a clean state, stopping the active threat.
However, the window during which the malicious script was live may have been long enough to expose a significant number of visitors across many websites.
Hackers Abuse Third-Party Okendo Reviews Script
The attackers chose their target wisely. By compromising a widely used third-party widget rather than individual websites, they extended their reach dramatically without needing to breach each site separately.
The malicious JavaScript acted as a staged loader, meaning it did not execute all of its actions at once. Instead, it moved step by step, checking the environment before pulling in additional content.
The script used browser-based tracking through localStorage to prevent repeated execution on the same device. It also checked the visitor’s
User-Agent string to filter out mobile users and focus on desktops, since later stages of the attack relied on Windows-based interactions.
Once those checks passed, the script used an XOR-based decoding routine to quietly rebuild a hidden URL, which it then loaded as a new script element to fetch the next stage.
Victims who passed these filters were shown a fake CAPTCHA or verification screen, a technique known as ClickFix.
These prompts instructed users to open the Windows Run menu and paste a command that was already copied silently to their clipboard.
That command then pulled down a PowerShell script or HTML Application file, which installed a remote access tool or information stealer on the victim’s machine.
Estimated Reach and Scale of the Campaign
The scale of this attack is hard to ignore. ThreatLabz observed the compromised widget running on websites ranging from mid-sized online shops to large retail brands.
Traffic estimates for affected sites ranged from around 150,000 to several million monthly visitors, and one impacted U.S. retail brand alone draws approximately 7 million visitors per month.
On May 14, 2026 alone, Zscaler’s platform recorded nearly 15,000 blocks tied to SmartApeSG in a single day, reflecting how intense the campaign was at its peak.
While these numbers represent blocked attempts and not confirmed infections, they highlight how fast a supply chain compromise can spread when a popular vendor is targeted.
Website owners who rely on third-party scripts should audit their integrations and watch closely for any unexpected behavior on their pages.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | hxxp://cdn-static[.]okendo[.]io/reviews-widget-plus/js/okendo-reviews[.]js | Compromised Okendo Reviews widget script URL |
| URL | hxxps://api[.]wigetticks[.]com/logout/private-response[.]php?8D1V4th3 | SmartApeSG next-stage delivery URL |
| URL | hxxps://api[.]wizzleticks[.]com/claims/scope-schema[.]php?4ManBBdA | SmartApeSG next-stage delivery URL |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.