Magecart Hijacks Checkout & Accounts with Massive Malicious

Heads up, everyone. A massive web skimming operation has just popped up across the internet. And get this: it’s hitting online shoppers and account holders with a scope we really haven’t seen before. Seriously, it’s unprecedented.

Security researchers have identified an over 50-script global campaign that intercepts sensitive information during checkout and account creation processes.

The attack demonstrates a significant evolution in how cybercriminals target e-commerce platforms, moving beyond simple credit card theft to stealing full customer identities.

The campaign employs modular payloads designed for specific payment processors. Attackers have created localized variations that specifically target Stripe, Mollie, PagSeguro, OnePay, PayPal, and other major payment gateways.

This customized approach allows the malware to blend seamlessly with legitimate payment interfaces, making detection significantly harder for both security teams and customers completing transactions.

Source Defense Research analysts identified the malware infrastructure, uncovering a sophisticated network of domain names used to distribute and control the attack.

Domains such as googlemanageranalytic.com, gtm-analyticsdn.com, and jquery-stupify.com were crafted to appear legitimate, often mimicking popular libraries and analytics services that websites normally load.

This deception allows the malicious scripts to execute without raising immediate suspicion.

The attack operates through multiple infection vectors that make it exceptionally dangerous. Malicious scripts inject fake payment forms directly into websites, creating convincing phishing interfaces that capture customer data.

The campaign

The campaign also deploys silent skimming techniques, quietly recording information as users type.

Additionally, the scripts implement anti-forensics measures including hidden form inputs and Luhn-valid junk card generation, which complicates incident response and analysis efforts.

What sets this campaign apart is its expanded scope beyond payment card details. The malware actively harvests user credentials, personally identifiable information, and email addresses.

This comprehensive data collection enables attackers to conduct account takeover attacks and establish persistent access through rogue administrator accounts. The threat has effectively evolved from card-specific skimming into a full identity compromise operation.

The campaign reveals how web skimming has matured into a sophisticated, long-term persistence mechanism.

By stealing credentials and establishing admin access, attackers can maintain control over compromised websites for extended periods, continuously harvesting data from multiple transaction flows.

Organizations running e-commerce platforms must strengthen client-side security, implement content security policies, and deploy real-time payment form monitoring to detect and block such malicious injections before they reach customers.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.