Back

Magecart Campaign Exploits Stripe for Credit Card Theft

Severity: High (Score: 67.5)

Sources: Gbhackers, Bleepingcomputer

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: stripe, magecart, campaign, abuses, credit, host, attack

Severity indicators: malware

Summary

A new Magecart campaign is leveraging Stripe's API to host a JavaScript skimmer that captures credit card information during online transactions. The attack utilizes Google Tag Manager to inject the malicious code into checkout pages, making it difficult for security measures to detect. The skimmer targets Magento/Adobe Commerce platforms, aiming to steal sensitive payment data including credit card numbers, expiration dates, CVV codes, and customer details. Once collected, the stolen data is stored in Stripe customer metadata, effectively using Stripe as a command and control server. This operation has been active since at least December 24, 2025, and researchers from Sansec have identified a variant that uses Google Firestore for data storage. The campaign poses a significant risk to online retailers and their customers as it exploits trusted services to evade detection. Key Points: • Magecart campaign uses Stripe's API to host a JavaScript skimmer for credit card theft. • Malicious code is injected via Google Tag Manager, targeting Magento/Adobe Commerce checkout pages. • Stolen payment data is stored in Stripe customer metadata, making detection challenging.

Detailed Analysis

**Impact** Ecommerce websites using Magento/Adobe Commerce platforms are targeted, with stolen data including credit card numbers, expiration dates, CVV codes, customer names, billing addresses, emails, and phone numbers. The campaign has been active since at least December 24, 2025, affecting online stores globally that rely on Stripe and Google Tag Manager. The use of trusted domains allows the attack to bypass Content Security Policy and network filters, increasing the risk of undetected data theft. The scale of impact is not quantified but involves sensitive payment and personal customer information. **Technical Details** Attackers embed JavaScript skimmers within Google Tag Manager containers, which load on checkout pages and retrieve malicious code from Stripe customer metadata (e.g., customer record cus_TfFjAAZQNOYENR). The stolen data is obfuscated using XOR, stored locally, then exfiltrated by creating fake Stripe customer records, turning Stripe into both command-and-control and data storage infrastructure. A variant uses Google Firestore for payload delivery and data storage. No CVEs are mentioned. The attack exploits trusted domains (googletagmanager.com, api.stripe.com) to evade detection and operates during the data exfiltration and command stages of the kill chain. **Recommended Response** Implement monitoring for unusual Stripe customer record creation and metadata changes, especially those resembling the identified customer ID patterns. Harden Content Security Policies to restrict script execution from GTM containers and monitor network traffic for suspicious Stripe API calls. Encourage customers to use one-time virtual cards with spending limits to reduce fraud impact. Conduct breach and attack simulation tests to validate SIEM and EDR detection capabilities against similar skimming techniques.

Source articles (2)

  • Credit card theft campaign abuses Stripe to host stolen payment info — Bleepingcomputer · 2026-06-04
    A new Magecart campaign is using Stripe's API infrastructure to host the credit card-stealing payload and the data exfiltrated from checkout pages. The entire malicious activity relies on Google Tag M…
  • New Magecart Attack Abuses Stripe as Malware C2 — Gbhackers · 2026-06-05
    A novel Magecart campaign that weaponizes legitimate cloud services to evade detection: attackers are storing a JavaScript skimmer inside Stripe customer metadata and delivering it to victim checkouts…

Timeline

  • 2025-12-24 — Magecart operation initiated: The malicious Stripe customer record was created, indicating the start of the campaign.
  • 2026-06-04 — Campaign details published: Sansec researchers disclosed the Magecart campaign's methods and impact, highlighting the use of Stripe and Google Tag Manager.
  • 2026-06-05 — Further analysis released: Gbhackers reported on the Magecart campaign, emphasizing its use of legitimate cloud services for evasion.

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Magecart (Malware)
  • Magecart Campaign (Campaign)
  • api.stripe.com (Domain)
  • googletagmanager.com (Domain)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Adobe Commerce (Platform)
  • Magento (Platform)
  • Stripe (Platform)
  • Google Firestore (Tool)
  • Google Tag Manager (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed