New Magecart Campaign Exploits Stripe API to Steal Payment Data
Researchers at Sansec have uncovered a sophisticated Magecart campaign leveraging Stripe’s API infrastructure and Google Tag Manager (GTM) to steal credit card details from e-commerce checkout pages. The attack, active since at least December 24, 2025, abuses trusted domains googletagmanager.com and api.stripe.com to bypass security filters and exfiltrate stolen data undetected.
The malware is embedded in legitimate-looking GTM containers, which execute when a shopper reaches a checkout page. It targets Magento/Adobe Commerce stores, capturing payment details (card number, CVV, expiration date), billing information, and customer contact data. The stolen data is obfuscated using XOR encryption, stored locally, and later exfiltrated via Stripe’s API by creating fake customer records under the attacker’s account (cus_TfFjAAZQNOYENR).
A variant of the campaign uses Google Firestore (project: braintree-payment-app, document: tracking/captcha) to host the payload and store stolen data, blending in with legitimate payment and bot-protection traffic. Once exfiltrated, the malware wipes local traces to avoid detection.
The attack highlights how threat actors exploit trusted platforms to evade security measures, turning payment processors into unwitting storage for stolen financial data.
Adobe Commerce cybersecurity rating report: https://www.rankiteo.com/company/adobe-commerce
Stripe cybersecurity rating report: https://www.rankiteo.com/company/stripe
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "ADOSTRGOO1780611936",
"linkid": "adobe-commerce, stripe, google",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Retail, Online Shopping',
'type': 'E-commerce businesses'}],
'attack_vector': 'Compromised Google Tag Manager (GTM) containers, Stripe API '
'abuse, Google Firestore',
'data_breach': {'data_encryption': 'XOR encryption (obfuscation)',
'data_exfiltration': 'Yes (via Stripe API and Google '
'Firestore)',
'personally_identifiable_information': 'Yes (names, '
'addresses, contact '
'details)',
'sensitivity_of_data': 'High (financial and personal data)',
'type_of_data_compromised': 'Payment card data, personally '
'identifiable information (PII), '
'billing details'},
'date_detected': '2025-12-24',
'description': 'Researchers at Sansec have uncovered a sophisticated Magecart '
'campaign leveraging Stripe’s API infrastructure and Google '
'Tag Manager (GTM) to steal credit card details from '
'e-commerce checkout pages. The attack abuses trusted domains '
'googletagmanager.com and api.stripe.com to bypass security '
'filters and exfiltrate stolen data undetected. The malware is '
'embedded in legitimate-looking GTM containers, targeting '
'Magento/Adobe Commerce stores to capture payment details, '
'billing information, and customer contact data. The stolen '
'data is obfuscated using XOR encryption and exfiltrated via '
'Stripe’s API or Google Firestore.',
'impact': {'brand_reputation_impact': 'High (trust erosion due to payment '
'data theft)',
'data_compromised': 'Credit card details (number, CVV, expiration '
'date), billing information, customer contact '
'data',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential (PCI DSS violations, GDPR/CCPA '
'non-compliance)',
'operational_impact': 'Potential disruption to checkout processes, '
'increased fraud risk',
'payment_information_risk': 'High',
'systems_affected': 'Magento/Adobe Commerce e-commerce stores'},
'initial_access_broker': {'entry_point': 'Compromised GTM containers, Stripe '
'API abuse',
'high_value_targets': 'Magento/Adobe Commerce '
'stores'},
'investigation_status': 'Ongoing (research phase)',
'lessons_learned': 'Threat actors are increasingly abusing trusted '
'third-party services (e.g., Stripe, Google Tag Manager) '
'to bypass security controls. Strict content security '
'policies (CSP) and monitoring of outbound API traffic are '
'critical to detecting such attacks.',
'motivation': 'Financial gain (credit card fraud, identity theft)',
'post_incident_analysis': {'corrective_actions': 'Enforce CSP, monitor API '
'traffic, audit GTM '
'containers, deploy '
'behavioral WAF rules.',
'root_causes': 'Abuse of trusted domains '
'(googletagmanager.com, '
'api.stripe.com), lack of CSP '
'enforcement, insufficient '
'monitoring of outbound API '
'traffic.'},
'recommendations': ['Implement strict Content Security Policies (CSP) to '
'restrict unauthorized script execution.',
'Monitor outbound API traffic for anomalies, especially '
'to payment processors like Stripe.',
'Audit Google Tag Manager (GTM) containers for '
'unauthorized scripts.',
'Deploy behavioral WAF rules to detect skimming activity.',
'Educate customers about potential fraud risks and '
'monitor for unauthorized transactions.'],
'references': [{'source': 'Sansec'}],
'regulatory_compliance': {'regulations_violated': ['PCI DSS', 'GDPR', 'CCPA']},
'response': {'third_party_assistance': 'Sansec (threat research)'},
'title': 'New Magecart Campaign Exploits Stripe API to Steal Payment Data',
'type': 'Magecart (Digital Skimming)',
'vulnerability_exploited': 'Trusted domain abuse (googletagmanager.com, '
'api.stripe.com), lack of strict content security '
'policies (CSP)'}