Major web skimming campaign targeting payment networks
Campaign
Summary
Hide ▲
Show ▼
A long-running Magecart web-skimming campaign has been active since 2022 and targets checkout flows tied to American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay. The attackers use malicious JavaScript on compromised e-commerce sites to intercept payment and contact details in the browser, making the theft hard for site owners and shoppers to notice. Silent Push linked the infrastructure to PQ.Hosting/Stark Industries and identified obfuscated scripts such as cdn-cookie[.]com/recorder.js. The campaign matters because it can capture cardholder data and personal information at checkout, enabling identity and payment fraud.
Related Happenings
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
Vulnerability
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
VulnerabilityAbout this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Taboola pixel runtime redirect chain to Temu tracking endpoint on logged-in banking pages
Technical Analysis
First: 16.04.2026 13:30
Last: 16.04.2026 13:30
Sources 1
About this happening:
A **February 2026 audit** found a **bank-approved Taboola pixel** on logged-in banking pages that redirected browsers to a **Temu tracking endpoint**, exposing a **first-hop trust...
Taboola pixel runtime redirect chain to Temu tracking endpoint on logged-in banking pages
Technical AnalysisAbout this happening: A **February 2026 audit** found a **bank-approved Taboola pixel** on logged-in banking pages that redirected browsers to a **Temu tracking endpoint**, exposing a **first-hop trust...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
WebRTC payment skimmer
Malware Activity
First: 26.03.2026 08:53
Last: 26.03.2026 08:53
Sources 1
About this happening:
A **new payment skimmer** has been identified using **WebRTC data channels** to load payloads and steal payment data from **e-commerce sites**, bypassing common security controls....
WebRTC payment skimmer
Malware ActivityAbout this happening: A **new payment skimmer** has been identified using **WebRTC data channels** to load payloads and steal payment data from **e-commerce sites**, bypassing common security controls....
Magento Open Source and Adobe Commerce PolyShell unauthenticated RCE flaw
Vulnerability
First: 19.03.2026 22:01
Last: 19.03.2026 22:01
Sources 1
About this happening:
**PolyShell** is a **Magento Open Source** and **Adobe Commerce** vulnerability that can enable **unauthenticated code execution** and **account takeover** across **stable version...
Magento Open Source and Adobe Commerce PolyShell unauthenticated RCE flaw
VulnerabilityAbout this happening: **PolyShell** is a **Magento Open Source** and **Adobe Commerce** vulnerability that can enable **unauthenticated code execution** and **account takeover** across **stable version...
Timeline
-
13.01.2026 19:30 4 articles · 4mo ago
Silent Push discloses major web skimming campaign
Initial DisclosureSilent Push disclosed a long-running web skimming campaign active since January 2022 that targets enterprise organizations tied to American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay. The operation abuses cdn-cookie[.]com to deliver obfuscated JavaScript payloads such as recorder.js and tab-gtm.js, checks WordPress for wpadminbar to avoid administrator sessions, replaces legitimate Stripe checkout pages with a fake payment form, and exfiltrates stolen cardholder and personal data to lasorie[.]com.
Show sources
- Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages — thehackernews.com — 13.01.2026 19:30
- Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages — thehackernews.com — 13.01.2026 19:30
- Global Magecart Campaign Targets Six Card Networks — www.infosecurity-magazine.com — 13.01.2026 13:00
- Claude Code Security and Magecart: Getting the Threat Model Right — thehackernews.com — 18.03.2026 13:58