Magecart Skimmer Hijacks Stripe API to Store Stolen Credit Card Data from E‑Commerce Checkout Pages

Magecart Skimmer Hijacks Stripe API to Store Stolen Credit Card Data from E‑Commerce Checkout Pages

What Happened – A new Magecart‑style skimming campaign injects malicious JavaScript via Google Tag Manager (GTM) containers. The code captures full payment‑card details on Magento/Adobe Commerce checkout pages and routes the data through Stripe’s api.stripe.com endpoint, storing each stolen card as a fake Stripe customer record. A secondary variant uses Google Firestore as the exfiltration backend.

Why It Matters for TPRM –

• Trusted third‑party services (GTM, Stripe) are weaponised, bypassing CSP and network filters.
• Merchant‑side data exposure can occur without any direct compromise of the payment processor.
• The technique scales across any online store that relies on default Stripe integration, expanding the attack surface of supply‑chain partners.

Who Is Affected – Retail & e‑commerce merchants (especially those running Magento/Adobe Commerce) that use Stripe for payments and GTM for tag management.

Recommended Actions –

• Audit all GTM containers for unauthorized scripts; enforce strict allow‑list policies.
• Harden CSP to block api.stripe.com for any non‑payment‑related requests.
• Implement runtime integrity monitoring of checkout page scripts.
• Verify that Stripe metadata fields are not used for unexpected data storage; consider token‑based data handling.

Technical Notes – The skimmer loads via a GTM container, reconstructs obfuscated JavaScript with new Function(), captures PAN, expiry, CVV, name, email, and phone, XOR‑obfuscates the payload, and writes it to Stripe customer metadata (or Firestore). The malicious payload executes on every page load and repeats every minute, wiping local traces after successful upload. Source: BleepingComputer