Sansec has discovered a new Magecart card-skimming campaign that abuses Stripe's API infrastructure and Google Tag Manager to host both the skimmer payload and the stolen data. Because online stores trust googletagmanager.com and api.stripe.com by default, the skimmer slips past Content Security Policy rules and network filters that would flag an unknown skimmer domain. Malicious code embedded in a legitimate-looking GTM container activates at checkout, queries a Stripe customer record, reads JavaScript from its metadata, and runs it via new Function(). It targets Magento/Adobe Commerce checkout pages, capturing card number, expiry, CVV, name, billing address, email, and phone, then XOR-obfuscates and stores the data locally before exfiltrating through Stripe.