These are actually quite common now. They're especially problematic because since the credential harvesting happens on localhost, there's no bad site to take down, and no indicative URL. Often the Javascript payload is heavily obfuscated.<p>This is one reason why we (INKY) sanitize HTML to normalize character representations, remove JavaScript, XSS, etc. You can no longer rely on client-side sanitization as you could in the desktop client days (though even some of the better web services, like Fastmail actually do sanitize). It's also why you have to be super paranoid about HTML attachments now.
So the point is to avoid firing an async request to a server you control, since that server could be shut down? Surely SmptJS would kill the token if requested to, why is this any better?