Magecart Campaign Abuses Stripe API for Hosting Stolen Payment Data
A new Magecart campaign is leveraging Stripe's API infrastructure to host malicious JavaScript payloads and exfiltrate stolen credit card data, making detection more difficult.
A sophisticated Magecart campaign has been discovered that ingeniously abuses the legitimate infrastructure of both Google Tag Manager (GTM) and Stripe to host malicious JavaScript payloads and exfiltrate stolen payment card data. This tactic allows the attackers to operate with a significantly reduced profile by blending their malicious network traffic with the trusted domains of these widely used services.
The campaign's entire operation relies on the domains googletagmanager.com and api.stripe.com, which are implicitly trusted by most e-commerce websites. Researchers at Sansec identified that the malicious code is loaded from a GTM container and executes on every page where the container is present. This allows the skimmer to bypass Content Security Policy rules and network filters that would typically flag traffic directed to unknown malicious domains.
Google Tag Manager is a common tool for website owners to manage scripts for analytics and tracking without altering the site's core code. Similarly, Stripe is a ubiquitous payment processing platform used by countless online stores. By embedding malicious code within seemingly legitimate GTM containers, the attackers ensure their skimmer activates precisely when a shopper reaches the checkout page.
The skimmer targets checkout pages on Magento/Adobe Commerce platforms, aiming to capture sensitive payment details including credit card numbers, expiration dates, CVV codes, and associated customer information like billing and email addresses, and phone numbers. Once captured, the stolen data is concatenated into a single string, obfuscated using XOR encryption, and stored locally before being exfiltrated.
Instead of immediate exfiltration, the campaign employs a novel method for data retrieval. A separate routine executes shortly after a page load and then every minute thereafter. This routine splits the collected data blob in half, creates a new Stripe customer object, and stores the stolen data within the metadata fields of this new object. Effectively, each stolen payment card is transformed into a fake customer record within the attacker's Stripe account, turning Stripe into a covert storage backend for illicitly obtained financial information.
To further obscure their tracks, the local file containing the stolen data is wiped after it has been successfully copied to Stripe, preventing duplicate uploads and minimizing forensic evidence. This multi-stage process, from injection to obfuscation and staged exfiltration, highlights the evolving tactics of Magecart groups.
Sansec also noted a variant of this campaign that utilizes Google Firestore, a cloud database service, as an alternative storage backend. In this variation, the payload is retrieved from a Firestore document named tracking/captcha within a project called braintree-payment-app. The stolen data is then stored in a different localStorage key, _d_data_customer_. The naming conventions for both the document and project are designed to mimic legitimate payment and bot-protection traffic, further aiding in evasion.
The Stripe customer record associated with this skimmer was reportedly created on December 24, 2025, suggesting the operation has been active for a considerable period. While direct protection against such sophisticated attacks is challenging, users can mitigate risks by employing one-time virtual credit cards with strict spending limits.