New Magecart Attack Abuses Stripe as Malware C2

A Magecart campaign abuses trusted cloud services by storing a JavaScript skimmer in Stripe customer metadata and loading it on checkout pages through malicious Google Tag Manager containers. The skimmer captures card numbers, expiry, CVV and billing/order fields, XOR-encodes and stores them in localStorage; a loader then creates Stripe customer records (using a hardcoded sk_test_ key) to persistently exfiltrate stolen data behind api.stripe.com. Variants use Google Firestore similarly; Sansec observed Magento/Adobe Commerce selectors, sample artifacts and a customer record dated December 24, 2025. Recommended mitigations include auditing GTM containers and third-party tags, treating sk_test_/sk_live_ strings in client-side code as compromise indicators, rotating credentials, and using specialized skimmer detection tools.