I’ve had banks do it in the past. They have a fake input field and capture keypress events via JavaScript directly from the dom, then just make it look like your typed in to the input field. They don’t read the password from the input field, they build it up in memory from those key press events.