I am afraid to tell you - this is how it works. When you enter username and password (or any other form data) in a form, then the browser will have this information in clear-text. This is why man-in-the-browser attacks are successful.
If you have AdvWAF and Fraud Protection Service licensed, you could use Application Layer Encryption in order to prevent this kind of attacks. Application Layer Encryption helps you to protect against in-browser key loggers.