Attacker page (cross-origin) — smava Kundenbereich token theft

Origin: . This page never framed the target; it only window.open()s it (X-Frame-Options DENY does not stop popups) and speaks the teal RPC protocol to it.

idle…