A new Magecart campaign is leveraging the trusted infrastructure of Stripe's API to host credit card-stealing payloads and exfiltrate stolen data from online checkout pages, according to a recent report by Bleeping Computer.The sophisticated attack utilizes Google Tag Manager (GTM) and Stripe domains, which are implicitly trusted by e-commerce sites, allowing the malicious code to bypass security measures. Researchers at Sansec discovered that the skimmer is loaded from a GTM container and executes on checkout pages, targeting Magento/Adobe Commerce platforms. It captures sensitive payment data, including credit card numbers, expiration dates, CVV codes, customer names, billing and email addresses, and phone numbers. The stolen data is then obfuscated using XOR and stored locally before being exfiltrated by creating fake customer records within the attacker's Stripe account, effectively using Stripe as a data storage backend.A variant of this campaign has also been observed using Google Firestore for data storage. The campaign appears to have been active since at least December 24, 2025.Source: Bleeping Computer
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds