Novel Magecart Campaign Exploits Cloud Services for Evasion
A new and sophisticated Magecart campaign has emerged, taking advantage of legitimate cloud services to escape detection. According to cybersecurity experts, attackers are now storing a JavaScript skimmer within Stripe customer metadata, delivering it to checkout pages through Google Tag Manager (GTM). This innovative approach effectively uses trusted domains—such as googletagmanager.com and api.stripe.com—which are commonly accepted by e-commerce platforms and are seldom blocked.
The attack is structured into three succinct stages which reveal a highly strategic methodology. Initially, a seemingly legitimate Google Tag Manager container, such as GTM-P6KZMF63, is embedded as a custom tag on the compromised websites. This container harbors a small loader that activates on pages with URLs containing “checkout.” The loader fetches specific customer records from the attacker’s Stripe account; it then concatenates metadata fields that hold fragmented pieces of the skimmer, executing the complete code payload using the JavaScript function new Function().
One of the striking features of this attack is its ability to stage the skimmer in Stripe metadata. By doing so, attackers can modify the malicious code at any moment without needing to reinject or alter the GTM tag on each affected site. This gives them an edge in maintaining persistent control over their operations.
In the second stage of the attack, the executed skimmer integrates itself into the checkout process. Observations from cybersecurity firm Sansec indicate that the skimmer includes selectors specifically tuned for markup associated with platforms like Magento and Adobe Commerce. Once integrated, it waits for a customer to click the checkout button. At this point, it extracts sensitive information such as card numbers, expiration dates, CVV codes, and various billing and order fields. The skimmer then uses XOR encoding to secure the concatenated data with a fixed key, appending a marker and writing the entire blob to localStorage under a predetermined key.
A deeper look into this evolving scheme reveals that the skimmer operates directly from Stripe. Importantly, it does not engage in network exfiltration, reducing its visibility and enabling it to evade many runtime monitoring solutions. In the final phase of the attack, the loader embedded in the GTM container takes charge of exfiltration. About one second after the page loads—and subsequently every 60 seconds—it reads the stored localStorage data, splits it, and POSTs the fragments back to the attacker’s Stripe account as fields in a newly created customer profile.
The script incorporates a hardcoded Stripe secret key prefixed with sktest, marking a clear sign of compromise since these keys should never be present in client-side code. Each stolen credit card entry is cataloged as a “customer” in the attacker’s Stripe account, creating a durable and searchable database through a domain that conventional defenses permit.
Sansec’s samples have shown that the attackers have reused standard Stripe data (demonstrating this tactic has been in place for some time). For instance, an email associated with the malicious customer record was traced back to December 24, 2025, suggesting the operational life of the campaign. In a variant tactic, the loader may leverage Google Firestore, reading payloads and transcribing stolen data to documents that mimic legitimate bot-protection traffic.
These deceptive methods exploit the inherent trust in mainstream cloud services, allowing them to bypass Content Security Policy rules and evade network filters which typically only identify unknown skimmer domains. This presents significant operational challenges: CSPs and allowlists that encompass api.stripe.com and googletagmanager.com will likely not flag such activities. Additionally, scanning for outbound requests to cloud APIs will not expose malicious intent if the requests are genuinely authorized and well-structured.
For potential mitigations, it is crucial to recognize any client-side strings that start with sktest or sklive as immediate compromise indicators. Regular auditing of GTM containers and third-party tags is advisable, along with the use of specialized skimmer detection tools like Sansec Shield. Operators should also rotate credentials, eliminate any unrecognized GTM containers and tags, and conduct thorough audits of all front-end code concerning direct interactions with api.stripe.com or firestore.googleapis.com.
Given that these attacks rely heavily on established cloud APIs, it is paramount for defenders to marry behavioral and integrity checks with rigorous allowlist management. Monitoring for unexpected API keys, restricting GTM tag modifications to only trusted personnel, and validating the origins of any external scripts before implementation can serve as effective lines of defense against such evolving threats.
In conclusion, this Magecart campaign represents a noteworthy evolution in cyber threat tactics, signaling the need for increased vigilance and enhanced defensive measures in an increasingly cloud-reliant digital landscape.