What a blunder.<p>I think even the worst static code analyzers would have caught this.<p>Looking at the code that was injected by an attacker it seems like they were trying to extract user sessions and exfiltrate it.<p><a href="https://programming.dev/post/532566" rel="nofollow noreferrer">https://programming.dev/post/532566</a>