Disturbed by @DonorBox-powered UI's interaction with Web's security model: it asks for bank login/password on origin that's not the bank's.

The criminal could be someone who sets up a site similar to yours, using something that looks like @DonorBox, but steals the password

It could also be somebody who hacks the @yimbyaction website, since users entering bank passwords into that site makes it a valuable target

The fundamental problem is that the browser URL bar says who you're communicating with. Users should never enter bank password at not-bank.