Find notable cyber news and cases, enriched with sources, timelines, and signals.

WebRTC payment skimmer

Malware Activity
First reported
Last updated
Happening score
H score 19
1 unique sources, 1 articles

Summary

Hide ▲

A new payment skimmer has been identified using WebRTC data channels to load payloads and steal payment data from e-commerce sites, bypassing common security controls. The behavior matters because it avoids HTTP-only inspection and can slip past Content Security Policy (CSP) protections. The activity was published on 2026-03-26 and is designed to exfiltrate stolen card data from online checkout pages.

Related Happenings

Magecart Stripe and Google Tag Manager card-skimming campaign

Campaign
H score36 First: 04.06.2026 23:47 Last: 04.06.2026 23:47 Sources 1

About this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...

Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw

Vulnerability
H score72 First: 16.05.2026 18:20 Last: 16.05.2026 18:20 Sources 1

About this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...

Taboola pixel runtime redirect chain to Temu tracking endpoint on logged-in banking pages

Technical Analysis
H score28 First: 16.04.2026 13:30 Last: 16.04.2026 13:30 Sources 1

About this happening: A **February 2026 audit** found a **bank-approved Taboola pixel** on logged-in banking pages that redirected browsers to a **Temu tracking endpoint**, exposing a **first-hop trust...

Magento checkout skimmer campaign targeting nearly 100 stores

Campaign
H score31 First: 09.04.2026 01:34 Last: 09.04.2026 01:34 Sources 1

About this happening: A **Magento** checkout skimmer campaign is compromising **nearly 100 online stores** and stealing payment data at the point of sale, putting shoppers’ card details at immediate ri...

Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation

Exploitation Wave
H score34 First: 25.03.2026 23:40 Last: 25.03.2026 23:40 Sources 1

About this happening: **PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...

Latest development: 09.04.2026 01:34

Sansec reported a new campaign against nearly 100 Magento online stores in which attackers hide a credit card skimmer inside a 1x1-pixel SVG element with an onload handler, display a fake Secure Checkout overlay on checkout, validate submitted card data with Luhn, and exfiltrate payment details to attacker infrastructure; the researchers also identified six exfiltration domains hosted by IncogNet LLC (AS40663).

Timeline

  1. 26.03.2026 08:53 1 articles · 3mo ago

    Adobe releases PolyShell fix in 2.4.9-beta1

    Mitigation Patch Update

    Adobe released a fix for PolyShell in version 2.4.9-beta1 on March 10, 2026, addressing a vulnerability in Magento Open Source and Adobe Commerce that allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution.

    Show sources
  2. 26.03.2026 08:53 1 articles · 3mo ago

    PolyShell enters mass exploitation

    Exploitation Observed

    PolyShell came under mass exploitation beginning March 19, 2026, with more than 50 IP addresses participating in scanning activity against vulnerable stores running Magento Open Source and Adobe Commerce.

    Show sources
  3. 26.03.2026 08:53 2 articles · 3mo ago

    Sansec discloses a WebRTC payment skimmer on a car maker site

    Initial Disclosure

    Sansec disclosed a new payment skimmer targeting a car maker's e-commerce website that uses WebRTC data channels to load payloads and exfiltrate stolen payment data. The skimmer establishes a WebRTC peer connection to hard-coded IP address 202.181.177[.]177 over UDP port 3479, retrieves JavaScript code for page injection, and bypasses Content Security Policy (CSP) and HTTP-only inspection.

    Show sources