CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Major US bank suffers keylogger infection on internal merch store

By Leave a Comment
LinkedInReddit

A malicious keylogger was discovered on the internal merchandise store of a top-three US bank, exposing sensitive data from over 200,000 employees.

The malware harvested login credentials, personal information, and payment details for approximately 18 hours before it appeared to have been removed, though the bank has yet to confirm its remediation.

Sansec, a Netherlands-based cybersecurity firm specializing in eCommerce threat detection, uncovered the infection on January 14, 2026, using its custom scanning tools. The malware operated undetected and targeted a store used by employees to order company-branded merchandise. Credentials collected from this store could be reused by employees on more sensitive internal systems, potentially allowing lateral movement by threat actors.

Despite promptly attempting to alert the bank via email and LinkedIn, Sansec encountered communication hurdles due to the absence of a security.txt file on the bank's domain, an industry-standard mechanism for vulnerability disclosure.

The attack employed a two-stage JavaScript-based loader. The first-stage script was obfuscated using JavaScript character codes to evade static detection and would activate only on pages containing the word “checkout.” Once triggered, it loaded a second-stage payload from the domain js-csp.com, which scraped all form inputs, capturing data such as usernames, passwords, payment card numbers, and addresses.

The malicious JScript
Sansec

The stolen data was exfiltrated via an image beacon, a technique where form data is encoded in base64 and sent as part of an image request, bypassing many traditional network defenses.

Sansec linked this campaign to a series of previous attacks using nearly identical infrastructure and techniques. The same threat actor had previously deployed malware via domains like js-stats.com, artrabol.com, and jslibrary.net, all using the path /getInjector/ for payload delivery. Notably, this infrastructure was also used in a 2025 attack targeting the Green Bay Packers' online store, reinforcing the likelihood of a persistent, financially motivated group focused on eCommerce targets.

Sansec's timeline indicates the domain was registered on December 23, 2025, and the attack was first detected less than a month later, on January 14, 2026. The malware remained active for approximately 18 hours before it was reportedly removed. While the malware has been removed, there has yet to be a public response from the affected bank.

If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.

LinkedInReddit

More from CyberInsider

About Amar Ćemanović

Amar Ćemanović is an experienced editor and trained engineer with a keen eye for detail and a passion for technology. 
Based in Bosnia, Amar specializes in producing high-quality, engaging content. He holds a Master’s degree in engineering, which helps him maintain a meticulous approach to all editorial work. Amar brings a well-rounded knowledge base, covering everything from tech solutions to privacy tools.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Share to...
BlueskyBufferCopyFlipboardHacker NewsLineLinkedInMastodonMessengerMixNextdoorPinterestPrintRedditSMSTelegramThreadsTumblrVKWhatsAppXingYummly