Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WebRTC payment skimmer

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

A new payment skimmer has been identified using WebRTC data channels to load payloads and steal payment data from e-commerce sites, bypassing common security controls. The behavior matters because it avoids HTTP-only inspection and can slip past Content Security Policy (CSP) protections. The activity was published on 2026-03-26 and is designed to exfiltrate stolen card data from online checkout pages.

Related Happenings

Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw

Vulnerability
First: 16.05.2026 18:20 Last: 16.05.2026 18:20 Sources 1

About this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...

Open Happening

Taboola pixel runtime redirect chain to Temu tracking endpoint on logged-in banking pages

Technical Analysis
First: 16.04.2026 13:30 Last: 16.04.2026 13:30 Sources 1

About this happening: A **February 2026 audit** found a **bank-approved Taboola pixel** on logged-in banking pages that redirected browsers to a **Temu tracking endpoint**, exposing a **first-hop trust...

Open Happening

Magento checkout skimmer campaign targeting nearly 100 stores

Campaign
First: 09.04.2026 01:34 Last: 09.04.2026 01:34 Sources 1

About this happening: A **Magento** checkout skimmer campaign is compromising **nearly 100 online stores** and stealing payment data at the point of sale, putting shoppers’ card details at immediate ri...

Open Happening

Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation

Exploitation Wave
First: 25.03.2026 23:40 Last: 25.03.2026 23:40 Sources 1

About this happening: **PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...

Latest development: 09.04.2026 01:34

Sansec reported a new campaign against nearly 100 Magento online stores in which attackers hide a credit card skimmer inside a 1x1-pixel SVG element with an onload handler, display a fake Secure Checkout overlay on checkout, validate submitted card data with Luhn, and exfiltrate payment details to attacker infrastructure; the researchers also identified six exfiltration domains hosted by IncogNet LLC (AS40663).

Open Happening

Magento Open Source and Adobe Commerce PolyShell unauthenticated RCE flaw

Vulnerability
First: 19.03.2026 22:01 Last: 19.03.2026 22:01 Sources 1

How related: The attack, which targeted a car maker's e-commerce website, is said to have been facilitated by PolyShell, a new vulnerability impacting Magento Open Source and Adobe Commerce that allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution.

About this happening: **PolyShell** is a **Magento Open Source** and **Adobe Commerce** vulnerability that can enable **unauthenticated code execution** and **account takeover** across **stable version...

Open Happening

Timeline

  1. 26.03.2026 08:53 1 articles · 2mo ago

    Adobe releases PolyShell fix in 2.4.9-beta1

    Mitigation Patch Update

    Adobe released a fix for PolyShell in version 2.4.9-beta1 on March 10, 2026, addressing a vulnerability in Magento Open Source and Adobe Commerce that allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution.

    Show sources
    Open in new tab
  2. 26.03.2026 08:53 1 articles · 2mo ago

    PolyShell enters mass exploitation

    Exploitation Observed

    PolyShell came under mass exploitation beginning March 19, 2026, with more than 50 IP addresses participating in scanning activity against vulnerable stores running Magento Open Source and Adobe Commerce.

    Show sources
    Open in new tab
  3. 26.03.2026 08:53 2 articles · 2mo ago

    Sansec discloses a WebRTC payment skimmer on a car maker site

    Initial Disclosure

    Sansec disclosed a new payment skimmer targeting a car maker's e-commerce website that uses WebRTC data channels to load payloads and exfiltrate stolen payment data. The skimmer establishes a WebRTC peer connection to hard-coded IP address 202.181.177[.]177 over UDP port 3479, retrieves JavaScript code for page injection, and bypasses Content Security Policy (CSP) and HTTP-only inspection.

    Show sources
    Open in new tab