Vault JS Research
The Watchtower · May 2026
Threat Briefing Supply-Chain · DTT · Post-Glasswing

Why we watch the watchers for malicious actors.

Every analytics tag, ad pixel, and mobile SDK on your properties is third-party code your organization does not control, cannot review, and cannot patch. Recent advances in AI have made each one inexpensive to weaponize. This briefing sets out what we look for, and why continuous monitoring of digital tracking technology has become a baseline expectation.

Josh GoodwinCTO · Vault JS
May 1, 2026 9 min read
Vault JS Watchtower · May 2026
Why We Watch the Watchers 02/13
In this briefing

What changed, what's at stake, what to do.

A six-part assessment of why third-party JavaScript and mobile SDKs have become the lowest-cost path to your customers, and how to detect changes as they occur rather than months later.

01
The economics just collapsed.The shifting cost curve · Project Glasswing
p. 03
02
What attackers are actually doing.Anatomy of a supply-chain attack · four case studies
p. 05
03
Mobile and CTV are worse.SpinOK · SparkCat · Keenadu · the firmware problem
p. 07
04
Why the existing stack misses this.CMP, WAF/CSP, EDR, and audits, and what they miss
p. 08
05
What Vault JS monitors, and how.How we see without touching your site · four layers · the change types we score
p. 09
06
The point of watching.Sign-off
p. 12
At a glance
47
3rd-party scripts on the typical enterprise page (Cloudflare 2024)
267 days
Average supply-chain breach dwell time (IBM)
83.1%
Mythos Preview score on CyberGym vulnerability reproduction
£20M
GDPR fine for British Airways · 22 lines of changed JavaScript
Vault JS Watchtower
Why We Watch the Watchers 03/13
01
The shifting cost curve

The economics just collapsed.

If you run a marketing site, a mobile app, or a connected-TV experience, you load a substantial amount of code from other companies on every session. Tag managers. Analytics. Ad pixels. Session replay. Chat widgets. SDKs. Cloudflare's 2024 Application Security Report puts the typical enterprise customer at 47 third-party scripts on the page and connections to 50 separate third-party destinations, with retail and travel sites running higher. Each script runs with the same privileges as your own code: it can read the DOM, capture form input, and call external endpoints. Each one also updates on a schedule you do not set, through a CI/CD pipeline you do not see.

This is the digital tracking technology (DTT) layer. It is the most powerful tool available to a modern marketing team, and it is also, increasingly, the lowest-cost route for a malicious actor to reach your customers. We monitor it because few others do, and because the developments of the past twelve months have fundamentally changed the economics of who can attack you, how quickly, and at what cost.

Until recently, weaponizing a known JavaScript or SDK vulnerability was difficult. Skilled human attackers required days to weeks of focused work, and the most valuable resulting exploits traded on public broker price lists for somewhere between $100,000 and $2.5 million. That cost structure placed serious supply-chain attacks against ad-tech, analytics, and tag-manager scripts largely out of reach for all but nation-states and elite criminal groups.

That ceiling is now moving. In April 2026, Anthropic announced Project Glasswing, a defensive cybersecurity initiative built around a new frontier model called Claude Mythos Preview. Anthropic and its partners (AWS, Apple, Microsoft, Google, JPMorganChase, CrowdStrike, Cisco, Palo Alto Networks, NVIDIA, Broadcom, and the Linux Foundation) confirmed that the model is already finding and exploiting vulnerabilities at a level that "surpasses all but the most skilled humans."

Vault JS Watchtower
Why We Watch the Watchers 04/13

Mythos Preview has identified thousands of zero-days across every major operating system and web browser, scored 83.1% on the CyberGym vulnerability-reproduction benchmark, and in some cases discovered flaws that had survived decades of human review and millions of automated tests. Glasswing is structured as a defensive effort. The capability it documents, however, is not confined to good-faith users. As CrowdStrike's CTO observed, "what once took months now happens in minutes."

By the numbers · Project Glasswing

The capability bar is rising quickly.

83.1%
Claude Mythos Preview score on CyberGym vulnerability reproduction (vs. 66.6% for Opus 4.6)
1000s
Zero-days found by Mythos Preview across every major OS and browser
27 yrs
Age of one OpenBSD vulnerability Mythos Preview surfaced autonomously
$2.5M
Historical broker ceiling for a single zero-day exploit, per Zerodium-style price lists

For supply-chain risk, the relevant takeaway is not the specific benchmark number. It is the trajectory. Finding and weaponizing vulnerabilities was once a scarce specialty; it is becoming routine. Every line of vendor code on your site, including every tag manager script, every analytics SDK, and every chat widget, shares the character of the codebases in which Mythos Preview is finding bugs. The vendor scripts considered "too small to bother with" yesterday will not remain so for long.

Every vendor script on your site is now a viable, affordable target. What Project Glasswing means for your stack
Vault JS Watchtower
Why We Watch the Watchers 05/13
02
The pattern, repeated

What attackers are actually doing.

The attack surface of digital tracking technology is not theoretical. It is documented in legal filings, GDPR enforcement actions, and SEC disclosures going back nearly a decade. The shape of the attack is consistent: a small change to a piece of trusted, externally-hosted code goes unreviewed, propagates silently to every property loading it, and exfiltrates data for days to months before anyone notices.

Figure 01 · Attack flow

Anatomy of a supply-chain attack on third-party code

Vendor → CDN → users
01 VENDOR COMPROMISE Attacker gets in Credential theft, phished maintainer, CDN hijack, or insider access at one of your third-party vendors. e.g. Polyfill.io, Codecov, npm 02 CODE INJECTION A few lines change 22 lines for British Airways. 1 line for Codecov. Often obfuscated or Base64- encoded for stealth. Bypasses your CI/CD, code review, AppSec 03 SILENT DELIVERY Auto-propagates CDN serves the new file. Every site and app loading the vendor instantly runs the malicious code. No attacker action needed after step 2 04a WITH MONITORING · VAULT JS Surfaced in minutes The change is detected, scored, and routed to your security team, with the exact diff and the vendor responsible attached. 04b WITHOUT MONITORING · EXFILTRATION Data flows out Card numbers, credentials, PII, and session tokens stream to attacker servers disguised as analytics, for weeks to months.
A small code change at the vendor propagates silently. The moment it goes live, exfiltration begins, and continuous monitoring surfaces the change within the same window. Without it, detection takes weeks to months. With it, minutes.

The history of web supply-chain attacks reads like a single paragraph rewritten with different victim names. Four examples follow, all pre-Glasswing and executed by skilled humans against high-value targets:

Vault JS Watchtower
Why We Watch the Watchers 06/13
Documented in the wild

Four supply-chain breaches, one pattern.

British Airways

2018
Magecart · £20M GDPR fine

Attackers modified 22 lines of JavaScript in Modernizr 2.6.2, a third-party library running on BA's payment pages. The injected code copied every customer's name, address, card number, and CVV to baways.com while bookings appeared to complete normally.

22
Lines of code
15
Days undetected
429K
Victims

[24]7.ai chat widget

2017–18
850K cards · vendor sued

An attacker modified the source of [24]7.ai's customer-service chat widget, scraping payment data from every site that embedded it, including Sears, Kmart, and Best Buy. The compromise ran in two windows in late 2017. The vendor took months to notify affected brands, and one of them sued.

850K
Cards exposed
Weeks
Active breach
Months
Notify delay

Polyfill.io

2024
Domain ownership change

After a quiet acquisition, the new owners injected malicious JavaScript into cdn.polyfill.io. Every site loading this trusted, decade-old library was instantly weaponized, redirecting mobile users to scams and deploying malware. The attack ran for months. No code review caught it.

100K+
Sites loading
Months
Undetected
1
Domain sale

Codecov Bash Uploader

2021
One-line change · two-month dwell

Attackers extracted a credential from a Codecov Docker image and modified a single line in the hosted Bash Uploader to silently exfiltrate CI environment variables (AWS keys, tokens, and passwords) for roughly two months. The change was discovered only when a customer manually compared the script's SHA256 checksum.

1
Line modified
~2 mo
Exfiltration
29K+
Customer base

These are pre-Glasswing attacks. The Mythos Preview benchmark indicates that the rate of new discovery, and the speed of moving from "vulnerability known" to "exploit working," is set to accelerate. Targets that were not previously worth a skilled attacker's time will become worth the time of a less-skilled one.

Vault JS Watchtower
Why We Watch the Watchers 07/13
03
Beyond the browser

Mobile and CTV are not safer. They are worse.

Web is the most closely watched surface, and it is still failing. Mobile and connected TV are barely watched at all, and they are failing more severely.

  • SpinOK ad SDK shipped malicious code in 101 Android apps on Google Play, exfiltrating files and clipboard contents to attacker servers. Some 30M users were affected, and 43 of the apps remained live on the Play Store after disclosure.
  • SparkCat, identified by Kaspersky as one of the first publicly documented SDK-based crypto-wallet stealers on Apple's App Store, hid inside an SDK distributed across food-delivery, AI-chatbot, crypto, and VPN apps, using ML Kit OCR to scan users' photo galleries for crypto wallet recovery phrases.
  • Keenadu, disclosed by Kaspersky's Securelist in February 2026, was embedded directly into the firmware of Android tablets at the manufacturing supply chain stage. The malicious payload was linked into libandroid_runtime.so with a valid digital signature, injected into the Zygote process at boot, and runs in the context of every app on the device. Roughly 13,715 devices were detected infected, and the malicious system components survive factory reset because they reside in the read-only system partition.

The lesson is consistent across platforms: an SDK or script that appears benign at review time can turn malicious in production, following a software update that the app store does not re-review. Mobile ecosystems are full of overpermissive third-party SDKs. Academic work auditing the Google Play SDK Index has found that more than a third of audited SDKs over-collect data relative to their stated privacy policy, and that this rate has not improved meaningfully year over year.

Across the Vault JS customer base, we observe dozens of vendor-script changes each month on a typical enterprise marketing stack. Almost none are reviewed by the customer's security team before going live.

Vault JS Watchtower
Why We Watch the Watchers 08/13
04
The gap

Why the existing stack misses this.

Most enterprises already operate a CMP for consent, a WAF for traffic, an EDR on endpoints, and a CSP header on the page. None of these is designed to monitor how vendor code changes over time:

  • CMPs and cookie banners manage user consent. They do not read what the script actually does. A consent-tagged script that begins exfiltrating credit cards remains consent-tagged.
  • WAFs and CSPs govern what loads, not what loaded code does. The British Airways attack came from a script the CSP allowed.
  • EDR and AppSec watch your code, within your CI/CD pipeline. Vendor code bypasses both, which is the entire point of using a vendor.
  • Periodic audits and penetration tests sample a single moment in time. Modern supply-chain attacks are versioned, often geo- or device-targeted, and frequently short-lived, precisely the kind of behavior that point-in-time snapshots are designed to miss.

The gap is specific and well defined: continuous, behavior-level observability of every third-party script and SDK, every time it changes.

The cost of not watching

Some compromises last weeks. Most last months.

Detection times for supply-chain breaches are routinely measured in months. That is long enough for an attacker to copy card numbers, credentials, or session tokens to a server named to resemble ordinary analytics traffic.

267 days
Average dwell time, supply-chain breach (IBM)
~60 days
Codecov Bash Uploader active exfiltration
Months
Polyfill.io malicious payload undetected
15 days
British Airways Magecart on payment pages
Vault JS Watchtower
Why We Watch the Watchers 09/13
05
How we watch

What Vault JS monitors, and how.

Vault JS is an independent, third-party privacy compliance monitoring platform for enterprise web, mobile, and CTV properties. It does not install code on your site, and it does not block, enforce, or proxy traffic. Instead, it observes, continuously, every third-party script and SDK in your environment, every change to each one, and every resulting shift in behavior. We then report exactly what changed, who is responsible, what risk it carries, and what to do about it.

How we see, without touching your site

Outside-in, in the real runtime.

We observe vendor code the way an attacker's payload actually reaches a victim: from the outside. Vault JS operates a fleet of fully instrumented browsers and real mobile and CTV devices that load your public properties continuously, in the same way your customers' devices do, and execute every third-party script and SDK in a runtime we control and record.

Instrumented fleet

Cloud browsers and real devices render your pages and app surfaces on a schedule you set, from the regions and platforms your customers actually use.

Runtime observation

Inside that sandbox we record every network request, DOM read, cookie and storage write, and API call each tag makes, at the moment it makes it, rather than from a static manifest.

Zero footprint

Nothing of ours runs on your property, so we add no latency, introduce no new code path, and leave nothing for an attacker to find or disable.

No inline proxy. No browser extension. No on-page agent. It is continuous observation of what your vendors' code actually does, in the runtime where it runs.

Vault JS Watchtower
Why We Watch the Watchers 10/13

That outside-in stream is large, comprising dozens of vendor changes a month on a typical enterprise stack. A four-layer pipeline narrows it to the few that warrant human review, in order of increasing scrutiny:

Figure 02 · The Vault JS stack

Four layers of observation

Volume → pattern → rules → human
01 CONTINUOUS MONITORING Every script. Every change. We continuously scan every 3rd-party script and SDK on your web, mobile, and CTV properties, every change diffed in real time. Dozens of changes / month 02 ML RISK ANALYSIS Pattern detection Models analyze each change for behavior shifts: new endpoints, collection scope, obfuscation, 4th-party calls, anomalous execution. Catches what signatures miss 03 RULES VALIDATION Approved baselines Custom algorithms validate parameters, values, and request patterns against approved vendor baselines, deviations flagged. Per-parameter, per-call 04 HUMAN ANALYST Confirmation Flagged changes go to Vault JS security analysts who assess context, intent, and impact, confirming genuine threats, filtering false positives. AI finds the needle. Humans confirm the threat.
Vault JS combines continuous scanning, ML pattern detection, rules-based validation, and human review. Each layer narrows the daily volume of vendor changes down to the handful that genuinely require your team's attention.
Vault JS Watchtower
Why We Watch the Watchers 11/13

The change types we score

In practice, we look for the change types that carry the highest signal for a malicious actor, and we score each one by severity. The scoring runs identically across web, mobile, and CTV; only the telemetry differs, because we score the behavior rather than the platform.

Change
type
Web Mobile CTV
Storage scope expansionHigh New cookies, extended lifetimes, and new localStorage keys. New SharedPreferences or Keychain entries, and expanded SQLite scope. New persistent device identifiers that survive across sessions.
New input-surface accessCritical Reads form fields it did not read yesterday: the Magecart and formjacking pattern. SDK begins reading clipboard, contacts, photo gallery, or camera. Expanded device fingerprint or a new ACR (automated content recognition) signal.
New 4th-party sub-resourceCritical Vendor X begins loading Vendor Y: the delivery vector trusted vendors get used for. Dynamic class loading or a runtime native-library swap. A playback resource pulled from a new host mid-session.
Obfuscation or packing shiftHigh Minifier or packer changes; code begins trying to hide what it does. Bytecode packing increases, a native-library swap, or a new obfuscator signature. Bytecode packing or a signature change in the player binary.
Permission or capability escalationHigh No web analog. Runtime permission request expands beyond the SDK's prior baseline. Device-API capability request expands: microphone, network discovery, storage.

Because we score the behavior at the version where it changes, a malicious mobile or CTV update is caught when it ships, not at an app store's one-time review. This is precisely the SparkCat and Keenadu pattern described in §03.

Vault JS Watchtower
Why We Watch the Watchers 12/13
06
The point

The point of watching.

The case for continuous monitoring of digital tracking technology is not that every vendor will be compromised. It is that some will, that the cost of compromising them is falling, and that detection times remain long. Even shorter incidents, such as Codecov's two months or the weeks-long [24]7.ai chat-widget compromise, represent considerable windows for an attacker copying card numbers, credentials, or session tokens to a server named to resemble analytics traffic.

Find the change first. Tell the security team what changed, where, and how to remediate it. Provide the privacy team with audit-ready evidence of whether the vendor was, or was not, doing what it claimed. That is the work.

If you can see it, you can fix it. Vault JS
Vault JS
Independent · Outside-in
Evidence-grade
Next step

Map the attack surface you don't control.

Request a third-party attack surface audit for your web, mobile, and CTV properties: a complete, evidence-grade map of every script and SDK running on them, with the changes, origins, and risks already classified.

Request an audit at vaultjs.com
© 2026 Vault JS · The watchtower for third-party Martech. 13 / 13