Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Magecart Stripe abuse shows how this payment-card theft campaign moved beyond traditional attacker-controlled infrastructure and into trusted cloud services that many organizations rely on every day.
Researchers at Sansec uncovered a Magecart operation that abuses Google Tag Manager (GTM) and Stripe’s API infrastructure to deliver malicious code and collect stolen checkout information. Instead of relying on suspicious domains or obvious attacker-controlled infrastructure, the attackers use legitimate services that are commonly trusted by retailers and often permitted by default in web environments.
The campaign targets Magento and Adobe Commerce checkout pages, where malicious code captures payment details and customer information during online transactions. The operation highlights a growing challenge for defenders: when attackers hide inside trusted services, domain reputation alone becomes a weak detection signal.
The most notable aspect of this campaign is not the skimmer itself, but the infrastructure behind it. Instead of relying on attacker-controlled servers, the operators reportedly used trusted services such as Google Tag Manager and Stripe to deliver payloads and store stolen data.
This approach offers several advantages:
As organizations continue adopting cloud services and third-party integrations, defenders need to look beyond where traffic is going and pay closer attention to how trusted services are being used.
The campaign uses trusted cloud services at multiple stages of the attack chain, from payload delivery to data storage.
The attack begins with a Google Tag Manager container that loads malicious code onto affected websites. The widespread use of Google Tag Manager can make malicious script activity more difficult to identify.
The attackers reportedly stored JavaScript fragments within Stripe customer metadata fields. The browser retrieves and reconstructs the code through Stripe’s API before execution.
Once active, the skimmer monitors checkout forms and collects payment card details along with customer information. The activity occurs within the browser, making detection more challenging.
The stolen information is reportedly obfuscated and stored in attacker-controlled Stripe customer metadata fields. This removes the need for a traditional attacker-operated exfiltration server.
Researchers also identified a variant that uses Google Firestore for payload retrieval and data storage. The use of multiple cloud services suggests the operators are diversifying their infrastructure.
This campaign highlights how trusted services can complicate detection efforts. Rather than relying on attacker-controlled infrastructure, the operators reportedly used platforms that many organizations already allow and depend on for business operations.
Key challenges include:
| Component | Details |
|---|---|
| Threat Type | Magecart web-skimming campaign |
| Primary Technique | Trusted SaaS infrastructure abuse |
| Target Asset | E-commerce checkout pages |
| Affected Platforms | Magento and Adobe Commerce |
| Payload Sources | Stripe metadata and Google Firestore |
| Attacker Objective | Payment card and customer data theft |
The campaign demonstrates that modern web-skimming operations no longer require dedicated attacker infrastructure. Instead, attackers can abuse trusted services that many organizations already allow and depend on.
The use of Google Tag Manager and Stripe highlights how legitimate platforms can be leveraged to support malicious activity. Security teams may need to evaluate not only which services are being used, but how they are being used.
Many organizations focus on keeping checkout systems online and performing reliably. This incident shows that monitoring the integrity of scripts running on checkout pages is equally important.
Web-skimming attacks often require only minor modifications to existing website code. A single malicious script can affect every customer transaction until it is identified and removed.
Much of the activity in this campaign occurs within the customer’s browser rather than on the server. As client-side threats continue to evolve, organizations may need greater visibility into scripts, third-party integrations, and checkout-page behavior.
Organizations can reduce exposure by:
Access essential cybersecurity resources to build stronger defenses and improve security operations today.
DOWNLOADWeb-skimming campaigns often depend on access to administrative systems, website management platforms, or third-party integrations. Securing the devices used to manage these environments can help reduce risk and improve investigation readiness.
Hexnode UEM helps organizations enforce device compliance policies and gain visibility into non-compliant devices. Hexnode XDR supports threat investigation by monitoring real-time endpoint events, detecting behavioral patterns, and correlating XDR security alerts with UEM context.
Together, these capabilities can help security teams improve visibility into the endpoints used to manage e-commerce platforms, payment integrations, and other business-critical web services.
The Magecart Stripe abuse campaign demonstrates how attackers can leverage trusted cloud services to support web-skimming operations. By using platforms commonly allowed in e-commerce environments, threat actors can make malicious activity more difficult to distinguish from legitimate business traffic.
As organizations continue expanding their use of third-party services, monitoring checkout integrity, script behavior, and administrative systems becomes increasingly important. Strong governance, layered visibility, and effective investigation workflows remain essential for detecting and responding to modern web-skimming threats.
See how Hexnode helps security teams investigate threats and improve endpoint security posture.
SIGN UP NOWCurrent reporting indicates attackers are abusing legitimate Stripe functionality rather than compromising Stripe itself. The reported activity involves attacker-controlled customer records and metadata fields.
Yes. Because the skimmer operates within the browser and uses trusted services, organizations may need checkout-page integrity monitoring and script visibility in addition to traditional security controls.
Both platforms are widely used in e-commerce environments, making them attractive targets for financially motivated attackers seeking access to payment data.
