MageCart
Magecart is an umbrella term for financially motivated web-skimming malware and the criminal activity clusters that deploy it against e-commerce environments.
Profile source: Mallory opens in a new tabMageCart
Family profile
Magecart is an umbrella term for financially motivated web-skimming malware and the criminal activity clusters that deploy it against e-commerce environments. Rather than a single codebase, it encompasses JavaScript-based payment skimmers that are injected into online stores, checkout components, or third-party web dependencies to steal payment and personal data in the browser during live transactions. Magecart activity has repeatedly targeted platforms such as Magento, Adobe Commerce, WooCommerce, WordPress-based stores, Salesforce Commerce Cloud deployments, and payment flows integrated with providers including Stripe, Redsys, PayPlug, and Authorize.net.
Magecart skimmers typically activate on checkout pages, monitor payment-related form elements, and capture card numbers, expiration dates, CVV values, billing details, names, email addresses, phone numbers, and sometimes account credentials. Many variants preserve the normal purchase flow so transactions still complete, which materially increases dwell time and reduces the chance of discovery. Common tradecraft includes injecting fake payment overlays or iframe-like forms that mimic legitimate processors, hooking checkout buttons and form events, dynamically mapping fields across different storefront layouts, validating card data in real time, and storing temporary state in browser storage to support deduplication or delayed transmission.
The malware family is notable for extensive defense evasion. Observed techniques include heavy JavaScript obfuscation, inline payloads hidden in HTML or SVG elements, disguising malicious code as analytics or tag-management snippets, use of trusted third-party infrastructure, anti-debugging logic, self-removal when administrator indicators are present, staged loaders that fetch store-specific skimmers, and exfiltration methods designed to resemble benign web traffic such as image beacons, analytics requests, WebSocket traffic, or backend API abuse. Some campaigns encrypt or encode stolen data before exfiltration and use resilient multi-stage infrastructure with fallback domains or bulletproof hosting.
Initial compromise vectors vary by campaign but commonly include vulnerable plugins, CMS flaws, supply-chain compromise of third-party scripts, misconfigured cloud storage, stolen or weak administrative credentials, and direct modification of store code or payment gateway components. Magecart operations have been linked to major breaches affecting large retailers and ticketing platforms, as well as broad campaigns compromising many smaller merchants simultaneously. The primary objective is theft and monetization of payment-card data, making Magecart one of the most persistent and consequential forms of client-side e-commerce malware.
Capabilities
- Credential Theft
- Defense Evasion
- Exfiltration
- Persistence
Exploited software
Vulnerabilities linked to MageCart
2 CVEsMITRE ATT&CK
MageCart in ATT&CK
12 distinct techniquesReporting
Research mentioning MageCart
WooCommerce Payment Skimmer Steals Cards at Checkout
This is the Magecart approach, where attackers inject JavaScript skimmers into trusted stores. According to CloudSEK, the skimmer “silently steals card details during genuine payments.”
Magecart campaign exploits Stripe API for credit card theft | brief | SC Media
A new Magecart campaign is leveraging the trusted infrastructure of Stripe's API to host credit card-stealing payloads and exfiltrate stolen data from online checkout pages... Researchers at Sansec discovered that the skimmer is loaded from a GTM container and executes on checkout pages, targeting Magento/Adobe Commerce platforms.
Brief Summary: CVE-2026-47100 Missing Authorization in FunnelKit Funnel Builder Enables Checkout Page Skimming on 40,000+ WooCommerce Stores - ZeroPath Blog | ZeroPath
Sansec researchers have confirmed active exploitation, with threat actors deploying Magecart style skimmers that harvest credit card numbers, CVVs, and billing addresses from unsuspecting shoppers.
Critical FunnelKit vulnerability threatens 40,000+ WooCommerce checkouts | Sansec
Dressing skimmers up as Google Analytics or Tag Manager code is a recurring Magecart pattern, since reviewers tend to skim straight past anything that looks like a familiar tracking tag.
The Factory Behind the Fake Bargain | by Sigmund Brandstaetter CISSP, CCSP, CISM, OSCP, CEH | Apr, 2026 | OSINT Team
The 2024 Payment Fraud Intelligence Report from Recorded Future documented 269 million stolen card records posted across dark and clear web platforms in a single year, with Magecart e-skimmer infections tripling due to widespread web vulnerabilities.
Hackers Use SVG Onload Trick to Hide Magecart Skimmer on Magento Checkout Pages
A massive Magecart campaign compromising 99 Magento e-commerce stores using an innovative evasion technique. Discovered on April 7, 2026, the attack relies on invisible Scalable Vector Graphics (SVG) elements to inject credit card skimmers directly into checkout pages.
Magecart Hackers Use 100+ Domains to Hijack eStore Checkouts
A sophisticated and long-running Magecart campaign has been quietly operating for over 24 months, infecting e-commerce websites across at least 12 countries using more than 100 malicious domains to steal payment card data in real time.
New Magecart Attack Inject Malicious JavaScript to Skim Payment Data
A new Magecart-style campaign has emerged, targeting online shoppers through malicious JavaScript code designed to steal payment information directly from ecommerce websites.