Different misinterpretation of your question, reached by deliberately ignoring your list of specific wallets and only responding to the question itself, along with the information that the payload in question lives within client-side javascript:

Read up on packet sniffing and detect whether your sending flow includes any updates of the vendor's code, as opposed to loading the interface provided when you obtained the wallet; if it does, then load Developer Tools from the relevant browser tab¹, go through the sources, and look for any addresses hardcoded in the client-side javascript. There is only reason for honest wallet code to hardcode any addresses is donations to the developer, and you'll probably be able to recognize these based on things like variable names, or the stage where they are used; and it is quite unlikely that obfuscated payload goes to the trouble of building an attacker's address from found materials. It's possible, however writing the code for this takes even more time, and people who sell malware usually need to sell malware rather than sit around for decades while five bucks of CoiledCoin gets worth anything ever again.