CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Magecart Campaign Targets Six Major Card Networks Since 2022

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A global Magecart campaign has been active since 2022, targeting six major payment networks: American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay. The campaign uses malicious JavaScript injected into e-commerce websites and payment portals to intercept payment details during checkout. The client-side nature of the attacks makes them difficult to detect, allowing threat actors to steal sensitive information for fraud or dark web sales. Silent Push discovered the campaign by analyzing a suspicious domain linked to PQ.Hosting/Stark Industries, revealing a long-term web-skimming operation with ongoing infections dating back to 2022. The skimmer employs advanced techniques to evade detection, including checking for administrative interfaces and creating fake payment forms to trick victims into entering their credit card details.

Timeline

  1. 13.01.2026 19:30 1 articles · 23h ago

    Skimmer Uses Fake Stripe Payment Form and Self-Destruct Mechanism

    The skimmer checks for the presence of a 'wpadminbar' element to avoid detection by site administrators. It creates a fake Stripe payment form to trick victims into entering their credit card details. The skimmer exfiltrates data to the server 'lasorie[.]com' and erases traces of itself from the checkout page after data exfiltration, setting a 'wc_cart_hash' flag to prevent re-skimming of the same victim.

    Show sources
    Open in new tab
  2. 13.01.2026 13:00 2 articles · 1d ago

    Magecart Campaign Targeting Six Major Card Networks Discovered

    A global Magecart campaign targeting six major payment networks has been active since 2022. The campaign uses malicious JavaScript to intercept payment details during checkout, making it difficult to detect due to its client-side nature. Silent Push discovered the campaign by analyzing a suspicious domain linked to PQ.Hosting/Stark Industries, revealing a long-term web-skimming operation. The skimmer employs advanced techniques to evade detection, including checking for administrative interfaces and creating fake payment forms to trick victims into entering their credit card details.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious npm Packages Redirecting Users to Crypto Sites

A malware campaign involving seven npm packages has been identified, operated by the threat actor dino_reborn. The packages use cloaking tools, anti-analysis controls, and fake crypto-exchange CAPTCHAs to redirect victims to malicious URLs. The packages were taken down following security requests. The campaign employed detailed device fingerprinting and dynamic redirects through the Adspect API. The malware disabled user interactions and detected security researcher tools, displaying a white page to researchers while redirecting victims to malicious sites. The packages involved are signals-embed, dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829, and integrator-2830.

Open in new tab

Unity SpeedTree Website Compromised to Skim Customer Data

Unity Technologies' SpeedTree website was compromised with malicious code designed to skim sensitive information from customers. The malicious code was active between March 13 and August 26, 2025, and affected 428 individuals. The compromised data includes names, addresses, email addresses, payment card numbers, and access codes. Affected customers are being notified and offered free credit monitoring and identity protection services. This incident follows a recent high-severity vulnerability in the Unity Editor that could allow attackers to execute malicious code on devices running applications built with Unity.

Open in new tab

Client-Side JavaScript Security Gaps Exploited During Holiday Shopping Seasons

Unmonitored JavaScript in client-side environments poses a significant security risk, especially during the holiday shopping season. Attackers exploit these gaps to steal payment data, bypassing traditional security measures like WAFs and intrusion detection systems. The 2024 holiday season saw major attacks, including the Polyfill.io breach affecting over 500,000 websites and the Cisco Magecart attack targeting holiday shoppers. These incidents highlight the need for enhanced client-side security measures to protect against data theft and unauthorized script execution. The holiday season amplifies risks due to increased attack motivation, code freeze periods, third-party dependencies, and resource constraints. Effective client-side security involves deploying Content Security Policy (CSP), implementing Subresource Integrity (SRI), conducting regular script audits, and using client-side monitoring tools. Organizations must adapt their security strategies to include comprehensive monitoring and protection of the client environment to safeguard against these evolving threats.

Open in new tab

Stripe iframe skimmer campaign exploits payment iframes

A sophisticated skimmer campaign targeting Stripe payment iframes has compromised 49 merchants. Attackers use malicious overlays to bypass security policies and steal credit card data. The campaign exploits vulnerabilities in the host page, highlighting the risks of third-party scripts and outdated security measures. The attack leverages deprecated APIs and injects malicious JavaScript through platforms like WordPress. It demonstrates the need for real-time monitoring and updated security policies to protect payment iframes. The campaign underscores the importance of securing the entire payment page, as mandated by PCI DSS 4.0.1. Organizations must implement strict CSP, advanced iframe monitoring, and secure postMessage handling to mitigate these risks.

Open in new tab

TamperedChef Malware Campaign Exploits Fake PDF Editors to Steal Credentials and Cookies

A cybercrime campaign has deployed TamperedChef, an information-stealing malware, through fake PDF editor installers. The malware steals credentials and cookies from infected systems. The campaign began on June 26, 2025, and activated malicious features on August 21, 2025. The malware is distributed via malvertising, directing users to fraudulent sites offering a trojanized PDF editor. The malware achieves persistence through Windows Registry changes and communicates with a command-and-control server to execute various malicious actions. The campaign is assessed to have been active for 56 days before activating malicious features. The malware, TamperedChef, is designed to harvest sensitive data, including credentials and web cookies. It also acts as a backdoor, supporting features such as scheduled tasks, data exfiltration, and arbitrary command execution. The campaign is part of a broader trend of malicious ad campaigns promoting trojanized PDF editors. The campaign involves more than 50 domains hosting deceiving apps signed with fraudulent certificates from at least four different companies. The campaign has been active since at least August 2024 and promoted other tools, including OneStart and Epibrowser browsers. TamperedChef is part of a broader set of attacks codenamed EvilAI that uses lures related to artificial intelligence (AI) tools and software for malware propagation. The malware uses code-signing certificates issued for shell companies registered in the U.S., Panama, and Malaysia to sign the fake applications. The campaign involves malicious ads or poisoned URLs that direct users to booby-trapped domains registered on NameCheap. The malware drops an XML file to create a scheduled task that launches an obfuscated JavaScript backdoor, which connects to an external server and sends basic information such as session ID, machine ID, and other metadata in the form of a JSON string that's encrypted and Base64-encoded over HTTPS. The campaign's end goals remain nebulous, with some iterations facilitating advertising fraud. A significant concentration of infections has been identified in the U.S., and to a lesser extent in Israel, Spain, Germany, India, and Ireland. Healthcare, construction, and manufacturing are the most affected sectors.

Open in new tab