Skip to content
Malware family Cloud

MageCart

Magecart is an umbrella term for financially motivated web-skimming malware and the criminal activity clusters that deploy it against e-commerce environments.

Profile source: Mallory opens in a new tab

MageCart

Family profile

Magecart is an umbrella term for financially motivated web-skimming malware and the criminal activity clusters that deploy it against e-commerce environments. Rather than a single codebase, it encompasses JavaScript-based payment skimmers that are injected into online stores, checkout components, or third-party web dependencies to steal payment and personal data in the browser during live transactions. Magecart activity has repeatedly targeted platforms such as Magento, Adobe Commerce, WooCommerce, WordPress-based stores, Salesforce Commerce Cloud deployments, and payment flows integrated with providers including Stripe, Redsys, PayPlug, and Authorize.net.

Magecart skimmers typically activate on checkout pages, monitor payment-related form elements, and capture card numbers, expiration dates, CVV values, billing details, names, email addresses, phone numbers, and sometimes account credentials. Many variants preserve the normal purchase flow so transactions still complete, which materially increases dwell time and reduces the chance of discovery. Common tradecraft includes injecting fake payment overlays or iframe-like forms that mimic legitimate processors, hooking checkout buttons and form events, dynamically mapping fields across different storefront layouts, validating card data in real time, and storing temporary state in browser storage to support deduplication or delayed transmission.

The malware family is notable for extensive defense evasion. Observed techniques include heavy JavaScript obfuscation, inline payloads hidden in HTML or SVG elements, disguising malicious code as analytics or tag-management snippets, use of trusted third-party infrastructure, anti-debugging logic, self-removal when administrator indicators are present, staged loaders that fetch store-specific skimmers, and exfiltration methods designed to resemble benign web traffic such as image beacons, analytics requests, WebSocket traffic, or backend API abuse. Some campaigns encrypt or encode stolen data before exfiltration and use resilient multi-stage infrastructure with fallback domains or bulletproof hosting.

Initial compromise vectors vary by campaign but commonly include vulnerable plugins, CMS flaws, supply-chain compromise of third-party scripts, misconfigured cloud storage, stolen or weak administrative credentials, and direct modification of store code or payment gateway components. Magecart operations have been linked to major breaches affecting large retailers and ticketing platforms, as well as broad campaigns compromising many smaller merchants simultaneously. The primary objective is theft and monetization of payment-card data, making Magecart one of the most persistent and consequential forms of client-side e-commerce malware.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Persistence

Exploited software

Vulnerabilities linked to MageCart

2 CVEs

MITRE ATT&CK

MageCart in ATT&CK

12 distinct techniques

Reporting

Research mentioning MageCart

Jun 17
Security Online Info

WooCommerce Payment Skimmer Steals Cards at Checkout

This is the Magecart approach, where attackers inject JavaScript skimmers into trusted stores. According to CloudSEK, the skimmer “silently steals card details during genuine payments.”

Jun 5
Scworld

Magecart campaign exploits Stripe API for credit card theft | brief | SC Media

A new Magecart campaign is leveraging the trusted infrastructure of Stripe's API to host credit card-stealing payloads and exfiltrate stolen data from online checkout pages... Researchers at Sansec discovered that the skimmer is loaded from a GTM container and executes on checkout pages, targeting Magento/Adobe Commerce platforms.

May 19
Zeropath

Brief Summary: CVE-2026-47100 Missing Authorization in FunnelKit Funnel Builder Enables Checkout Page Skimming on 40,000+ WooCommerce Stores - ZeroPath Blog | ZeroPath

Sansec researchers have confirmed active exploitation, with threat actors deploying Magecart style skimmers that harvest credit card numbers, CVVs, and billing addresses from unsuspecting shoppers.

May 14
Sansec

Critical FunnelKit vulnerability threatens 40,000+ WooCommerce checkouts | Sansec

Dressing skimmers up as Google Analytics or Tag Manager code is a recurring Magecart pattern, since reviewers tend to skim straight past anything that looks like a familiar tracking tag.

Apr 21
Osint Team

The Factory Behind the Fake Bargain | by Sigmund Brandstaetter CISSP, CCSP, CISM, OSCP, CEH | Apr, 2026 | OSINT Team

The 2024 Payment Fraud Intelligence Report from Recorded Future documented 269 million stolen card records posted across dark and clear web platforms in a single year, with Magecart e-skimmer infections tripling due to widespread web vulnerabilities.

Apr 10
Cyber Security News

Hackers Use SVG Onload Trick to Hide Magecart Skimmer on Magento Checkout Pages

A massive Magecart campaign compromising 99 Magento e-commerce stores using an innovative evasion technique. Discovered on April 7, 2026, the attack relies on invisible Scalable Vector Graphics (SVG) elements to inject credit card skimmers directly into checkout pages.

Apr 1
Cyber Security News

Magecart Hackers Use 100+ Domains to Hijack eStore Checkouts

A sophisticated and long-running Magecart campaign has been quietly operating for over 24 months, infecting e-commerce websites across at least 12 countries using more than 100 malicious domains to steal payment card data in real time.

Jan 21
Cyber Security News

New Magecart Attack Inject Malicious JavaScript to Skim Payment Data

A new Magecart-style campaign has emerged, targeting online shoppers through malicious JavaScript code designed to steal payment information directly from ecommerce websites.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.