Full Report
A new Magecart campaign is using Stripe's API infrastructure to host the credit card-stealing payload and the data exfiltrated from checkout pages. [...]
Analysis Summary
# Incident Report: Magecart Abuse of Stripe and GTM Infrastructure
## Executive Summary
A sophisticated Magecart campaign leverages legitimate API infrastructure from Stripe and Google Tag Manager (GTM) to deliver malicious payloads and exfiltrate stolen payment data. By routing traffic through trusted domains (`api.stripe[.]com`), the attackers successfully bypass Content Security Policy (CSP) rules and network filters. The impact involves the theft of full credit card details and personally identifiable information (PII) from Magento/Adobe Commerce checkout pages.
## Incident Details
- **Discovery Date:** June 4, 2026 (Reported date)
- **Incident Date:** Active since at least December 24, 2025
- **Affected Organization:** Various e-commerce merchants using Magento/Adobe Commerce
- **Sector:** E-commerce / Retail
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Circa December 2025
- **Vector:** Compromised or malicious Google Tag Manager (GTM) containers.
- **Details:** Attackers embed malicious scripts into GTM containers which are then loaded by target e-commerce sites.
### Lateral Movement
- **Mechanism:** The attack does not focus on internal network movement but rather lateral abuse of third-party SaaS environments (Stripe and Google Firestore) to host attack components.
### Data Exfiltration/Impact
- **Details:** The skimmer captures credit card numbers, CVV codes, expiration dates, names, addresses, and phone numbers. Data is XOR-obfuscated and temporarily stored in `localStorage` before being uploaded to a malicious Stripe account as metadata in "Customer" objects.
### Detection & Response
- **Discovery:** Identified by security researchers at Sansec through analysis of suspicious GTM container behavior.
- **Response Actions:** Public disclosure of the technique to alert merchants; recommendation for virtual card use by consumers.
## Attack Methodology
- **Initial Access:** Supply chain injection via Google Tag Manager.
- **Persistence:** Script executes on every page load via the GTM container.
- **Defense Evasion:** Use of trusted domains (`api.stripe[.]com`, `googletagmanager[.]com`) to bypass CSP; XOR obfuscation of stolen data; local data wiping after successful exfiltration.
- **Discovery:** Target identification of checkout pages and specific form fields (Magento/Adobe Commerce).
- **Collection:** Scraping of payment form fields and storage in `localStorage`.
- **Exfiltration:** Overuse of Stripe's API to create fake customer records (`cus_TfFjAAZQNOYENR`) where stolen data is stored in metadata fields.
- **Impact:** Financial fraud and mass data breach of consumer PII.
## Impact Assessment
- **Financial:** High potential for fraudulent transactions using stolen card data.
- **Data Breach:** Full payment card data (PAN, CVV, Expiry) and PII.
- **Operational:** Potential for merchants to be flagged by PCI DSS compliance bodies and payment processors.
- **Reputational:** Loss of consumer trust in affected e-commerce platforms.
## Indicators of Compromise
- **Network Indicators:**
- Traffic to `api.stripe[.]com` containing large metadata strings.
- Unexpected calls to `googletagmanager[.]com` loading unauthorized containers.
- **File/Storage Indicators:**
- `localStorage` key: `d_data_customer` (in Firestore variant).
- Presence of `new Function()` calls within scripts loaded from GTM.
- **Behavioral Indicators:**
- Creation of Stripe customer objects with XOR-encoded metadata.
- Firestore document access: `tracking/captcha` in project `braintree-payment-app`.
## Response Actions
- **Containment:** Removal of malicious GTM containers and rotation of GTM access credentials.
- **Eradication:** Identification and deletion of the attacker-controlled Stripe "Customer" records.
- **Recovery:** Notifying affected customers and auditing site dependencies.
## Lessons Learned
- **Implicit Trust Risks:** Trusting third-party domains (like Stripe) in CSP allows attackers to hide in plain sight if they can abuse those platforms' APIs.
- **GTM Vulnerability:** GTM remains a high-value target for supply chain attacks as it bypasses traditional source code reviews.
- **Monitoring Blips:** Standard monitoring often fails to inspect the content of metadata sent to legitimate APIs.
## Recommendations
- **Subresource Integrity (SRI):** Use SRI for any scripts where possible, though difficult with dynamic GTM content.
- **CSP Strengthening:** Tighten Content Security Policies to restrict API calls to specific, known account endpoints if supported by the service provider.
- **Behavioral Monitoring:** Implement client-side security solutions that detect unauthorized form-field scraping and `localStorage` abuse.
- **API Audit:** Regularly audit Stripe (or other payment processor) logs for unusual customer creation patterns or metadata anomalies.