Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: magecart (1 article)Clear

Magecart skimmer abuses Stripe API and Google Tag Manager to host payload and exfiltrate cards, bypassing CSP on Magento checkouts

Sansec has discovered a new Magecart card-skimming campaign that abuses Stripe's API infrastructure and Google Tag Manager to host both the skimmer payload and the stolen data. Because online stores trust googletagmanager.com and api.stripe.com by default, the skimmer slips past Content Security Policy rules and network filters that would flag an unknown skimmer domain. Malicious code embedded in a legitimate-looking GTM container activates at checkout, queries a Stripe customer record, reads JavaScript from its metadata, and runs it via new Function(). It targets Magento/Adobe Commerce checkout pages, capturing card number, expiry, CVV, name, billing address, email, and phone, then XOR-obfuscates and stores the data locally before exfiltrating through Stripe.

Check
Audit Magento/Adobe Commerce checkout pages for unfamiliar Google Tag Manager containers and JavaScript reading from api.stripe.com customer-record metadata. Review GTM container change history for unauthorized edits.
Affected
Magento/Adobe Commerce stores using Google Tag Manager. The skimmer hides in GTM containers and routes payload and stolen cards through trusted api.stripe.com, bypassing CSP and network filters.
Fix
Lock down GTM container edit access and review all containers. Apply strict CSP and Subresource Integrity, and monitor checkout pages for unauthorized scripts. Treat trusted-domain traffic as a skimmer vector.