Magecart Skimmer Abuses Google Tag Manager and Stripe API to Steal Card Data
Researchers at Sansec uncovered a Magecart campaign that uses trusted Google Tag Manager and Stripe infrastructure to steal payment data from e-commerce checkout pages. The skimmer is delivered through a malicious but legitimate-looking GTM container and activates on Magento and Adobe Commerce checkout flows, where it harvests card numbers, expiration dates, CVV codes, names, billing addresses, email addresses, and phone numbers. The malware retrieves additional JavaScript from Stripe customer metadata and executes it dynamically, helping the attack blend into normal traffic to trusted services.
The stolen data is obfuscated with XOR, stored locally, and later exfiltrated by creating fake customer records in an attacker-controlled Stripe account, causing the theft to appear as ordinary traffic to api.stripe.com and potentially bypass content security policies and network filtering. Sansec also identified a variant that uses Google Firestore instead of Stripe, pulling payloads from a document named tracking/captcha in a project called braintree-payment-app. Researchers said the Stripe customer record used to host the skimmer was created on Dec. 24, 2025, indicating the campaign may have been active since at least then.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Sansec identifies Magecart campaign abusing GTM and Stripe
Researchers at Sansec discovered a Magecart campaign using a malicious Google Tag Manager container to load a credit card skimmer on Magento and Adobe Commerce checkout pages. The malware retrieved JavaScript from Stripe customer metadata, stole payment and customer data, and exfiltrated it through attacker-controlled Stripe API activity; researchers also identified a Firestore-based variant.
Attacker Stripe customer record created for Magecart skimmer hosting
Sansec reported that the Stripe customer record used to host the skimmer payload was created on December 24, 2025, indicating the campaign may have been active since at least that date. The campaign abused Stripe customer metadata to retrieve malicious JavaScript and later exfiltrate stolen checkout data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Magecart Campaign Hid Payment Skimmers in Google Tag Manager Containers
A long-running **Magecart** operation linked to the **ATMZOW** skimmer family abused **Google Tag Manager (GTM)** to inject credit-card theft code into compromised ecommerce checkout pages, according to Sucuri. The attackers hid malicious JavaScript inside GTM containers served through `googletagmanager.com`, exploiting the trust many sites place in that domain while using multi-stage obfuscation to steal payment data. Sucuri said the activity affected hundreds of sites, with one malicious container, `GTM-WJV6J6`, detected 178 times before removal, and tied the campaign to Magento-focused compromises dating back to the 2015 **Guruincsite** infections. Researchers said the operators rotated payload delivery through about 40 newly registered lookalike domains, used **Cloudflare** to shield infrastructure, and stored selected domains in browser local storage to complicate analysis and blocking. After Google removed malicious containers such as `GTM-WJ6S9J6` and `GTM-TVKQ79ZS`, the attackers quickly replaced them with new IDs including `GTM-NTV2JTB4` and `GTM-MX7L8F2M`, showing persistent reinfection efforts; in at least one case, the GTM-based skimmer ran alongside a separate WebSocket-based skimmer, indicating overlapping compromises and continued adaptation by the threat actor.
Jun 8, 2026
Magecart Campaign Hides Magento Card Skimmer in 1x1 SVG Images
A large Magecart campaign compromised nearly 100 Magento and Adobe Commerce stores by hiding a full credit-card skimmer inside a **1x1-pixel SVG** embedded directly in checkout page HTML. Researchers said the malware stores its payload in the SVG `onload` handler, decodes it with `atob()`, and runs it via `setTimeout`, allowing it to evade scanners that typically look for externally loaded scripts. When shoppers click checkout, the skimmer displays a convincing fake **"Secure Checkout"** overlay that captures billing and payment details before validating card numbers with the **Luhn algorithm**. The stolen data is exfiltrated as XOR-encrypted, base64-obfuscated JSON to attacker-controlled infrastructure, in some cases disguised as Facebook analytics traffic. Sansec linked the infections to exploitation of the **PolyShell** vulnerability, which affects Magento Open Source and Adobe Commerce stable version 2 deployments and can enable unauthenticated code execution and account takeover. Defenders were urged to hunt for hidden SVG tags and suspicious `onload` code, check for the `_mgx_cv` localStorage key, and block outbound traffic to the identified attacker infrastructure, including domains resolving to **`23.137.249.67`** hosted by IncogNet in the Netherlands.
Apr 10, 2026
Silent Push Uncovers Long-Running Magecart Web-Skimming Infrastructure Targeting Major Payment Networks
Silent Push reported a large-scale **Magecart-style web-skimming** operation active since early 2022 that uses an extensive domain network to support client-side JavaScript skimmers on compromised e-commerce checkout pages. The activity is assessed to impact **online shoppers** and organizations that are **clients of major payment providers**, with targeting noted against **American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay**; the skimmers are designed to quietly exfiltrate payment-card and other form data during transactions rather than disrupt systems. Technical reporting tied the infrastructure to domains hosting **highly obfuscated skimmer payloads** (e.g., `recorder.js`, `tab-gtm.js`) and described evasion logic that attempts to avoid execution when site administrators are present (e.g., checking the DOM for WordPress’ `wpadminbar`). The infrastructure analysis also linked parts of the campaign to a domain associated with the sanctioned bulletproof hosting ecosystem around **Stark Industries / PQ.Hosting**, which has been described as rebranding to *THE[.]Hosting* under **WorkTitans B.V.**, consistent with sanctions-evasion behavior; researchers emphasized that weak **third-party script governance** on payment pages remains a key enabling factor for this type of long-lived skimming operation.
Mar 21, 2026