A sophisticated keylogger attack that targeted the employee store of one of the biggest banks in America has been discovered by cybersecurity researchers, putting over 200,000 employees at risk of having their credentials stolen This article explores commerce platforms security. . Everything entered into the website's forms, including payment card numbers, login credentials, and personal data, was intercepted by the malware, raising grave concerns about possible lateral movement into internal banking systems.

How the assault operates Enterprise Security Perimeters' Critical Gap The hack exposes a risky blind spot in corporate security architectures: even though they handle sensitive corporate credentials, employee-facing e-commerce platforms are often not covered by routine security audits. Credential harvesting on external platforms is a high-value target for threat actors looking to gain initial access to banking infrastructure because bank employees frequently have elevated access to crucial financial systems.

While generic security solutions totally overlooked the threat, the attack made use of specialized e-commerce threat intelligence. VirusTotal revealed that only 1 out of 97 security vendors had flagged the malicious infrastructure at the time of detection, highlighting the detection gap for attack vectors unique to e-commerce. Gap in detection The bank's failure to publish security contact details via the industry-standard security.txt file made the incident response even more difficult and created needless obstacles to responsible disclosure.

Despite prompt attempts to notify via LinkedIn and email, remediation was delayed due to inadequate security channels. To avoid static analysis, the malware used a complex two-stage loader architecture. Before loading the secondary harvesting script from js-csp.com/getInjector/, the initial payload employed character code obfuscation to determine whether users had reached checkout pages.

Before exfiltrating stolen credentials via image beacon requests to get around security measures, the second stage methodically extracted all form data, including input fields, select menus, and text areas. Infrastructure previously found in campaigns against the Green Bay Packers is consistent with this attack pattern. In the last 12 months, this is the fifth getInjector campaign that has been found.

Just before Christmas 2025, the js-csp.com domain was registered, and within weeks of its deployment, Sansec discovered the compromise. To handle this new attack surface, companies that run employee stores should put client-side script monitoring into place right away, incorporate internal e-commerce platforms into security audit scopes, and use specialized e-commerce threat detection tools.