Major web skimming campaign targeting payment networks
Campaign
Summary
Hide ▲
Show ▼
A long-running Magecart web-skimming campaign has been active since 2022 and targets checkout flows tied to American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay. The attackers use malicious JavaScript on compromised e-commerce sites to intercept payment and contact details in the browser, making the theft hard for site owners and shoppers to notice. Silent Push linked the infrastructure to PQ.Hosting/Stark Industries and identified obfuscated scripts such as cdn-cookie[.]com/recorder.js. The campaign matters because it can capture cardholder data and personal information at checkout, enabling identity and payment fraud.
Related Happenings
Shop fake receipt callback phishing campaign
Campaign
H score29
First: 25.06.2026 22:45
Last: 25.06.2026 22:45
Sources 1
About this happening:
Threat actors are **abusing Shop** by planting **fake purchase receipts** in order histories, turning a trusted shopping app into a **callback-phishing lure** that can expose **ac...
Shop fake receipt callback phishing campaign
CampaignAbout this happening: Threat actors are **abusing Shop** by planting **fake purchase receipts** in order histories, turning a trusted shopping app into a **callback-phishing lure** that can expose **ac...
GorgonAgora fake .shop card-skimming campaign
Campaign
H score84
First: 05.06.2026 11:38
Last: 05.06.2026 11:38
Sources 1
About this happening:
The **GorgonAgora** campaign is using **5,714 fake .shop storefronts** to steal payment data, widening card-theft risk across brand-impersonation checkout pages. The operation has...
GorgonAgora fake .shop card-skimming campaign
CampaignAbout this happening: The **GorgonAgora** campaign is using **5,714 fake .shop storefronts** to steal payment data, widening card-theft risk across brand-impersonation checkout pages. The operation has...
Magecart Stripe and Google Tag Manager card-skimming campaign
Campaign
H score36
First: 04.06.2026 23:47
Last: 04.06.2026 23:47
Sources 1
About this happening:
The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Magecart Stripe and Google Tag Manager card-skimming campaign
CampaignAbout this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
WordPress malware campaign using Steam profile C2 concealment
Campaign
H score37
First: 01.06.2026 20:04
Last: 01.06.2026 20:04
Sources 1
About this happening:
A **WordPress malware campaign** has infected about **1,980 websites** since **July 2025**, and it hides **command-and-control (C2) data** in **Steam Community profile comments**...
WordPress malware campaign using Steam profile C2 concealment
CampaignAbout this happening: A **WordPress malware campaign** has infected about **1,980 websites** since **July 2025**, and it hides **command-and-control (C2) data** in **Steam Community profile comments**...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
Vulnerability
H score72
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
VulnerabilityAbout this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Timeline
-
13.01.2026 19:30 4 articles · 5mo ago
Silent Push discloses major web skimming campaign
Initial DisclosureSilent Push disclosed a long-running web skimming campaign active since January 2022 that targets enterprise organizations tied to American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay. The operation abuses cdn-cookie[.]com to deliver obfuscated JavaScript payloads such as recorder.js and tab-gtm.js, checks WordPress for wpadminbar to avoid administrator sessions, replaces legitimate Stripe checkout pages with a fake payment form, and exfiltrates stolen cardholder and personal data to lasorie[.]com.
Show sources
- Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages — thehackernews.com — 13.01.2026 19:30
- Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages — thehackernews.com — 13.01.2026 19:30
- Global Magecart Campaign Targets Six Card Networks — www.infosecurity-magazine.com — 13.01.2026 13:00
- Claude Code Security and Magecart: Getting the Threat Model Right — thehackernews.com — 18.03.2026 13:58