Trusted Script β Malicious Injection
This page loads trusted-vendor.js β a script your security team reviewed and approved.
However, the vendor's build pipeline was compromised and the script now dynamically injects
evil-payload.js, a script never seen before on your site.
π Attack Flow
-
1
Page loads
trusted-vendor.jsβ previously reviewed & allow-listed. -
2
Compromised code inside the vendor script calls
document.createElement('script')to injectevil-payload.js. - 3 The injected script runs a C2 beacon and tries to exfiltrate cookies & local storage.
π‘οΈ How Page Shield Catches This
-
β
Script Monitor detects a new script URL (
evil-payload.js) that was never part of the baseline. -
β
Code Change Detection flags that
trusted-vendor.jshas been modified since the last hash was recorded. - β Malicious Code Analysis scans the new script and identifies data-exfiltration patterns.
- β Alert fires β security team is notified via email / webhook / PagerDuty within seconds.
- β If a Block Rule is configured, the injected script is prevented from executing entirely.
βΆοΈ Live Demo
Click the button below to load trusted-vendor.js. Watch the console and the status
panel to see the injection happen in real-time.
Waiting to load vendor scriptβ¦
Console Output
Waitingβ¦
Why CSP Alone Isn't Enough
| Scenario | CSP script-src |
Page Shield |
|---|---|---|
| Trusted vendor script is allow-listed | Allowed | Allowed |
| Vendor script content changes (supply-chain compromise) | Still Allowed β same origin | Alert β hash / content changed |
| Compromised vendor injects script from same origin | Still Allowed β same origin | Blocked β unknown script URL |
| Vendor injects script from new external origin | Blocked β if origin not listed | Blocked β unknown script + origin |