Keylogger Discovered on Major US Bank's Employee Store Affecting 200,000+ Staff
Security researchers at Sansec have discovered an active keylogger on the employee store of one of America's largest banks, potentially exposing credentials and payment data for over 200,000 staff members.
The attack was detected on January 14, 2026, and remained active until January 15 when the malware appears to have been removed.
What's Being Stolen
The malware intercepts everything typed into the site's forms, including:
- Login credentials
- Payment card numbers
- Personal information
How the Attack Works
The malware uses a two-stage loader. A small script first checks if the user is on a checkout page, then loads an external payload from js-csp.com/getInjector/.
The second-stage harvests all form data and exfiltrates it via image beacon - a technique that bypasses many security controls. Stolen data is sent to js-csp.com/fetchData/ encoded in Base64.
The code uses character code obfuscation to evade static analysis.
Detection Gap
At time of discovery, only Sansec flagged the domain as malicious. VirusTotal showed just 1 out of 97 security vendors detecting the threat, highlighting how ecommerce-specific attacks evade generic security tools.
Connection to Previous Attacks
The infrastructure matches a campaign Sansec found last year targeting the Green Bay Packers, which used an identical URL pattern via js-stats.com/getInjector/.
This is the fifth "getInjector" campaign uncovered in the past 12 months:
- artrabol.com
- js-stats.com
- js-tag.com
- jslibrary.net
- js-csp.com
The js-csp.com domain was registered just before Christmas 2025.
Why This Matters
Bank employees frequently reuse corporate credentials. Stolen passwords from the employee store could provide attackers with footholds into internal banking systems.
Employee stores typically fall outside standard security audits, making them attractive targets. The affected bank did not publish a security.txt file, making responsible disclosure unnecessarily difficult.
Indicators of Compromise
Primary infrastructure:
- js-csp.com
- js-csp.com/getInjector/
- js-csp.com/fetchData/
Exfiltration pattern:
js-csp.com/fetchData/?data=<base64>&loc=<origin>
Related domains:
- artrabol.com
- js-stats.com
- js-tag.com
- jslibrary.net
Timeline
| Date | Event |
|---|---|
| December 23, 2025 | js-csp.com domain registered |
| January 14, 2026 | Sansec detects keylogger |
| January 14, 2026 | Sansec notifies affected bank |
| January 15, 2026 | Malware confirmed still active |
| January 15, 2026 | Malware removed |
Recommendations
Organizations running employee stores should:
- Include internal sites in security audits
- Monitor client-side scripts for unauthorized JavaScript
- Publish security.txt to enable responsible disclosure
- Block known malicious domains at the network level
