On May 14, 2026, a supply chain attack was discovered targeting the Okendo Reviews widget, a customer review platform used by over 18,000 brands. The threat actor injected malicious JavaScript code into the legitimate widget, which is deployed on high-traffic e-commerce pages including storefronts and product pages. The compromised JavaScript acted as a staged loader, using obfuscation, localStorage tracking, User-Agent filtering, and XOR-based decoding to conceal next-stage infrastructure. The attack employed ClickFix-style social engineering to deceive users into executing malicious commands, ultimately delivering remote access trojans like NetSupport and Remcos, or information stealers such as StealC. Affected websites received hundreds of thousands to millions of monthly visitors, with nearly 15,000 blocks recorded in a single day.