Obfuscated web skimmer payload targeting Stripe checkout forms

Malware Activity

First reported

13.01.2026 19:30

Last updated

13.01.2026 19:30

Happening score

H score 33

2 unique sources, 2 articles

Summary

Hide ▲

Silent Push disclosed a Magecart-style web skimming campaign that has operated since 2022 and targets e-commerce checkout pages tied to at least six major payment networks, including American Express, Mastercard, and UnionPay. The skimmer uses obfuscated JavaScript delivered through infrastructure such as cdn-cookie[.]com/recorder.js to replace legitimate Stripe payment forms with fake ones, capture payment and personal details, and then restore the original page to conceal the theft. The activity was linked to PQ.Hosting/Stark Industries, and the reporting recommends CSP, PCI DSS, MFA, and timely software updates to reduce exposure.

Related Happenings

Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw

Vulnerability

First: 16.05.2026 18:20 Last: 16.05.2026 18:20 Sources 1

About this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...

Open Happening

Funnel Builder security patch release (version 3.15.0.3)

Security Patch Release

First: 16.05.2026 18:20 Last: 16.05.2026 18:20 Sources 1

About this happening: **FunnelKit** released **version 3.15.0.3** to fix a **Funnel Builder** flaw that was being **actively exploited** to inject malicious JavaScript into **WooCommerce checkout pages...

Open Happening

Vercel v0.dev phishing campaign using GenAI-built lure pages

Campaign

First: 07.05.2026 11:30 Last: 07.05.2026 11:30 Sources 1

About this happening: A campaign using **Vercel v0.dev** to build **highly convincing phishing pages** has lowered the skill and cost needed to run fraudulent sign-in and job-lure attacks. The activity...

Open Happening

Taboola pixel runtime redirect chain to Temu tracking endpoint on logged-in banking pages

Technical Analysis

First: 16.04.2026 13:30 Last: 16.04.2026 13:30 Sources 1

About this happening: A **February 2026 audit** found a **bank-approved Taboola pixel** on logged-in banking pages that redirected browsers to a **Temu tracking endpoint**, exposing a **first-hop trust...

Open Happening

WebRTC payment skimmer

Malware Activity

First: 26.03.2026 08:53 Last: 26.03.2026 08:53 Sources 1

About this happening: A **new payment skimmer** has been identified using **WebRTC data channels** to load payloads and steal payment data from **e-commerce sites**, bypassing common security controls....

Open Happening

Timeline

13.01.2026 19:30 3 articles · 4mo ago

Silent Push discloses long-running web skimming campaign

Initial Disclosure
Silent Push discloses a long-running web skimming campaign active since January 2022 that targets major payment-network clients, including organizations tied to American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay. The campaign uses cdn-cookie[.]com to deliver obfuscated JavaScript payloads such as recorder.js and tab-gtm.js, detects WordPress administrators through the wpadminbar element, replaces legitimate Stripe checkout forms with fake forms, and exfiltrates names, phone numbers, email addresses, shipping addresses, and payment-card data to lasorie[.]com.
Show sources

Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages — thehackernews.com — 13.01.2026 19:30

Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages — thehackernews.com — 13.01.2026 19:30

Global Magecart Campaign Targets Six Card Networks — www.infosecurity-magazine.com — 13.01.2026 13:00
Open in new tab

Summary

Related Happenings

Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw

Funnel Builder security patch release (version 3.15.0.3)

Vercel v0.dev phishing campaign using GenAI-built lure pages

Taboola pixel runtime redirect chain to Temu tracking endpoint on logged-in banking pages

WebRTC payment skimmer

Timeline

Silent Push discloses long-running web skimming campaign