Researchers say a new Magecart card-skimming campaign is stealing shoppers’ payment details from compromised online stores and hiding both its malware and stolen data inside trusted Google Tag Manager and Stripe services. Sansec says the skimmer targets Magento and Adobe Commerce checkout pages, pulls JavaScript from a Google Tag Manager container, retrieves payload code from Stripe customer metadata tied to customer ID cus_TfFjAAZQNOYENR, and exfiltrates stolen card, billing, email, and phone data by creating fake Stripe customer records; a variant uses Google Firestore instead of Stripe. The Stripe record was reportedly created on December 24, 2025, suggesting the campaign may have been active for months.
Why it matters: This matters because stores may allow traffic to Google Tag Manager and Stripe by default, letting the skimmer blend in and evade common security controls while stealing card data from real customers. Online retailers using Magento or Adobe Commerce should urgently inspect GTM containers, Stripe API activity, and checkout-page scripts for unauthorized changes.
Bill Toulas
2026.06.04
100% relevant
This article appears to be the initial report on a distinct Magecart payment-card theft campaign that abuses Stripe and Google Tag Manager as trusted infrastructure, not an update to an existing tracked story.
← Back to all stories