Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Magecart Stripe and Google Tag Manager card-skimming campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The Magecart campaign is abusing Stripe's API infrastructure and Google Tag Manager containers to steal checkout data from Magento/Adobe Commerce stores. The skimmer loads from a GTM container, runs on checkout pages, and routes both the payload and stolen cards through api.stripe.com, helping it blend into trusted payment traffic. A variant also uses Google Firestore to hide the payload and stolen data in a project called braintree-payment-app. The operation has been active since at least December 24, 2025, increasing the risk of payment-card theft and hard-to-detect exfiltration across online stores.

Related Happenings

Trapdoor Android malvertising and ad-fraud campaign

Campaign
First: 19.05.2026 19:38 Last: 19.05.2026 19:38 Sources 1

About this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...

Open Happening

NGate Android Brazil fake-app and fake-lottery campaign

Campaign
First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

About this happening: A **NGate** campaign has been active since **November 2025**, targeting primarily **Android devices in Brazil** and using **fake-app** and **fake-lottery** lures to spread a malic...

Open Happening

NGate malware trojanized HandyPay NFC-stealing variant

Malware Activity
First: 21.04.2026 12:00 Last: 21.04.2026 12:00 Sources 1

About this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...

Open Happening

Magento checkout skimmer campaign targeting nearly 100 stores

Campaign
First: 09.04.2026 01:34 Last: 09.04.2026 01:34 Sources 1

About this happening: A **Magento** checkout skimmer campaign is compromising **nearly 100 online stores** and stealing payment data at the point of sale, putting shoppers’ card details at immediate ri...

Open Happening

WebRTC payment skimmer

Malware Activity
First: 26.03.2026 08:53 Last: 26.03.2026 08:53 Sources 1

About this happening: A **new payment skimmer** has been identified using **WebRTC data channels** to load payloads and steal payment data from **e-commerce sites**, bypassing common security controls....

Open Happening

Timeline

  1. 04.06.2026 23:47 1 articles · 1h ago

    Magecart skimmer activity appears in a Stripe customer record on December 24, 2025

    Campaign Scope Update

    A Stripe customer record containing the skimmer was reportedly created on December 24, 2025, suggesting the Magecart operation may have been active since at least that day.

    Show sources
    Open in new tab
  2. 04.06.2026 23:47 2 articles · 1h ago

    Sansec identifies a Magecart skimmer loaded through Google Tag Manager

    Initial Disclosure

    Sansec identified a Magecart card-skimming campaign that loads malicious code from Google Tag Manager containers, targets Magento/Adobe Commerce checkout pages, and routes both the payload and stolen cards through api.stripe.com; Sansec also noted a Google Firestore variant using tracking/captcha in the braintree-payment-app project.

    Show sources
    Open in new tab