Find notable cyber news and cases, enriched with sources, timelines, and signals.

Magento checkout skimmer campaign targeting nearly 100 stores

Campaign
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

A Magento checkout skimmer campaign is compromising nearly 100 online stores and stealing payment data at the point of sale, putting shoppers’ card details at immediate risk. The operation uses a 1x1-pixel SVG payload to hide the malicious code and make detection harder.

Related Happenings

Magecart Stripe and Google Tag Manager card-skimming campaign

Campaign
H score36 First: 04.06.2026 23:47 Last: 04.06.2026 23:47 Sources 1

About this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...

Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw

Vulnerability
H score72 First: 16.05.2026 18:20 Last: 16.05.2026 18:20 Sources 1

About this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...

Adobe Reader zero-day exploited via malicious PDFs security flaw

Vulnerability
H score38 First: 09.04.2026 12:22 Last: 09.04.2026 12:22 Sources 1

About this happening: **Adobe Reader** is facing an **actively exploited zero-day** delivered through **malicious PDF documents** and observed since at least **December**. The flaw works on the **lates...

Latest development: 13.04.2026 18:37

Adobe released an emergency security update for Acrobat Reader to fix CVE-2026-34621 after zero-day exploitation in malicious PDF files. The bulletin says Acrobat DC versions 26.001.21367 and earlier, Acrobat Reader DC versions 26.001.21367 and earlier, and Acrobat 2024 versions 24.001.30356 and earlier are affected, and Adobe recommends updating through Help > Check for Updates or the official installer.

WebRTC payment skimmer

Malware Activity
H score19 First: 26.03.2026 08:53 Last: 26.03.2026 08:53 Sources 1

About this happening: A **new payment skimmer** has been identified using **WebRTC data channels** to load payloads and steal payment data from **e-commerce sites**, bypassing common security controls....

Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation

Exploitation Wave
H score34 First: 25.03.2026 23:40 Last: 25.03.2026 23:40 Sources 1

How related: Sansec warned that more than half of all vulnerable stores were targeted in PolyShell attacks, which in some cases deployed payment card skimmers using WebRTC for stealthy data exfiltration.

About this happening: **PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...

Latest development: 09.04.2026 01:34

Sansec reported a new campaign against nearly 100 Magento online stores in which attackers hide a credit card skimmer inside a 1x1-pixel SVG element with an onload handler, display a fake Secure Checkout overlay on checkout, validate submitted card data with Luhn, and exfiltrate payment details to attacker infrastructure; the researchers also identified six exfiltration domains hosted by IncogNet LLC (AS40663).

Timeline

  1. 09.04.2026 01:34 2 articles · 3mo ago

    Sansec identifies Magento checkout skimmer campaign

    Initial Disclosure

    Sansec identifies a campaign targeting nearly 100 Magento online stores in which checkout users are shown a fake Secure Checkout overlay while a 1x1-pixel SVG onload handler hides a card skimmer; the payload validates card data with Luhn, exfiltrates payment details in XOR-encrypted base64-obfuscated JSON, appears to leverage PolyShell access, and uses six exfiltration domains hosted by IncogNet LLC in the Netherlands.

    Show sources