#Magecart alert
Hidden img ng-on-error reused a CSP nonce to load npm.clickcdn01[.]net, opened WebRTC to 85.17.55[.]137, injected a pixel-perfect fake @2c2p #payment form, and exfiltrated card data over WebRTC.
#DataBreach #PCIDSS #ClientSideSecurity #WebSkimming #eSkimming #FormJacking
4
17
2,337
#Magecart attacks continue to use WebRTC for bypassing CSP entirely.
Most attacks are injected as 1st-party inline JS.
One variant is loaded from a compromised German Magento #ecommerce abused as a malware host.
C2 infra:
178.16.53.\219
45.158.127.\28
38.87.117.\12
#DataBreach #PCIDSS #clientsidesecurity #WebSkimming #eSkimming #FormJacking
5
13
1,135
Again, a #Magecart attack abusing @Google services.
The attack starts via malicious GTM containers, which fetch skimmer payloads from Firestore.
The skimmer harvests #payment & PII data to localStorage. The data is exfiltrated by the GTM back to Firestore.
GTM IDs:
- P488GV4L
- NHD6TPNH
- WHMCNDCS
- WVTX28GJ
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
3
5
1,877
The dynamic DoH #Magecart group just upgraded their evasion game.
Caught a new variant via GTM-PLBTGD25:
• DoH lookup on cloudflare-dns.com for `jartrack.\com`
• Decoupled stack traces via fake CDN (`fastcdnjs.\net`)
• Camouflaged as a Canvas Defender decoy
• Exfil over `crmcom.\org`
My original thread on this group: x.com/sdcyberresearch/status…
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
A dynamic & resilient #Magecart infrastructure was found:
• Loaded via GTM-5QGGLMHR
• Performs DNS-over-HTTPS TXT lookup via cloudflare-dns.com for clickgator.\info
• TXT response returns a C2 WebSocket endpoint adsbridge.\fun, which is then opened
• AES-GCM 256-bit key exchange performed over the socket
• A second WebSocket is opened to adsbridge.\site or adsbridge.\space to retrieve the Magecart JS
• Based on the site’s PSP, it replaces the #payment form or performs silent skimming
• Stolen payment data is encrypted and exfiltrated via WebSocket to clickopath.\info
This represents a new generation of Magecart: infrastructural, dynamic, hidden and stable.
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
8
23
4,030
#Magecart attack from ftp-opencart.\com targets @PayPal checkouts only.
Victim clicks PayPal → fake loading screen → pixel-perfect fake PayPal form steals full card billing.
This domain was first found in Dec 2025 x.com/sdcyberresearch/status…. Same ghost, new disguise.
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
29 Dec 2025
🚨Massive #Magecart campaign uncovered
An over 50-script global operation hijacking checkout and account creation flows.
Modular, localized payloads target Stripe, Mollie, PagSeguro, OnePay, PayPal & more.
Uses fake payment forms, phishing iframes, and silent #skimming, plus anti-forensics tricks (hidden inputs, Luhn-valid junk cards).
Moves beyond cards to steal credentials & PII, enabling ATO and long-term persistence via rogue admin access.
⚠️This is Magecart evolving into full identity compromise.
#WebSkimming #FormJacking #PCIDSS #CyberSecurity #DataTheft #clientsidesecurity
Involved domains:
bitbaystats.\com
bootstrap-sdn.\com
cdn-htojar.\com
claritycrown.\com
ftp-opencart.\com
googlemanageranalytic.\com
gtm-analyticsdn.\com
hotanalytic.\com
jquery-minical.\com
jquery-stupify.\com
sdn-jquary.\com
sdn-optima.\com
staticsinfo.\com
supluyers.\com
1
1
8
952
A ghost #Magecart code was found on several sites using a major #ecommerce platform.
The attack has been active since 2021, a 5-year persistence!
As the platform upgraded its @Stripe & @Square integrations, the HTML elements the attack targeted became obsolete.
The code haunted the sites as "ghost code" until our report led to its removal.
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
3
6
574
#Webinar | @ClientSideProtection: Specialists or Platforms? Insights from Forrester, MVW & BT Group linkedin.com/feed/update/urn… @Jscrambler
#ClientSideProtection #ClientSideSecurity #JavaScript #JavaScriptSecurity #PCIDSS #PCI #Compliance #PCIDSSCompliance #PCIDSSV4 #PaymentsSecurity
1
1
2
53
Google Tag Manager continues to be abused by #magecart attacks:
TKMN7B96 -> phppackageeuro.\com
NMNKZP2 -> cloudflare-static12.\com
PZMLXR7K -> chatliveapp.\com
TWNZ39CT -> zip-check.\online
WJTZFHFG -> cdn-cloudauth.\net
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
2
6
1,810
A sophisticated #magecart campaign fakes @stripe and @Square payment forms using a 3-stage kill chain:
1⃣Injected <style onload> attributes execute the loader.
2⃣Malicious JS is hidden in the trailing bytes of legitimate site images, hosted on the victim's domain.
3⃣Stolen card data is tunneled out via real-time WebSockets.
Domains:
path-bootstrapcdn.\com
cdnjs-cloud.\com
leads-zdassets.\com
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
2
7
1,771
🚨 New #Magecart campaign:
GTM-WJS5XR6W hijacked as loader
→ fake Bolt & Saferpay overlays
→ card data out via WebSocket image steganography.
13 C2s across chatliveplus[.]com, livechatlite[.]com, eventchatsupport[.]com.
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
1
1
4
746
Feb 18
Great write-up on bypassing WAF protections to exploit Client-Side Path Traversal (CSPT) using encoding levels.
The explanation of how different decoding layers (browser, WAF, and application) interpret paths differently — and how attackers can abuse those inconsistencies to reach gadgets and escalate to XSS — is extremely valuable for modern client-side testing.
Definitely worth reading for bug bounty hunters and AppSec folks.
Read here: matanber.com/blog/cspt-level…
Huge credit to @MtnBer for the research and clear breakdown 👏
#BugBounty #WebSecurity #AppSec #InfoSec #XSS #WAF #ClientSideSecurity #Pentesting
1
18
85
6,302
@CodePen Abused again
A #magecart loader is stored in the path assets.codepen.\io/14553950/communityhelper_pro_help.js opens a webSocket to the known malicious domain communityhelper.\store
We reported the abuse to CodePen
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
4
482
@CodePen abused again.
A #magecart attack stored in the path https://assets.codepen.\io/14553950/communityhelper_pro_help.js
The code opens a websocket to the known malicious domain: communityhelper.\store
We reported CodePen about the abuse.
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
1
4
323
Feb 15
If you're serious about improving your client-side bug hunting skills, I highly recommend going through the write-ups on ysamm.com.
Each post shows how subtle browser behavior, auth flows, and small logic flaws can turn into real-world account takeovers and high-impact bugs on major platforms. It’s the kind of content that genuinely sharpens your security mindset.
Huge respect and thanks to @samm0uda for consistently sharing such valuable research with the community 👏
#BugBounty #AppSec #ClientSideSecurity #WebSecurity
8
53
2,483
Recently started exploring jxscout and it’s quickly becoming a valuable part of my client-side bug hunting workflow 🔍
The tool helps with collecting, organizing, and analyzing JavaScript assets, recovering sourcemaps, discovering hidden endpoints, and mapping frontend functionality that often stays buried inside modern bundled JS. It really helps improve visibility into the client-side attack surface ⚡
Huge thanks to @fneves97 for building and maintaining this awesome project 🙌 It’s been super helpful in my daily bug hunting routine 🐞🎯
📦 Official GitHub Repo:
github.com/francisconeves97/…
🌐 Official App / Platform:
jxscout.app/
Also worth noting — the project offers both Free and Pro versions depending on your workflow needs.
#BugBounty #AppSec #ClientSideSecurity #Recon #Infosec #BugBountyTips
1
5
55
4,206
🚨#magecart alert
Malicious Google Tag Managers continue to transform:
1⃣TVR8FN5D -> fastlistcss.\icu (formerly analyzerai.\icu)
2⃣MX7L8F2M -> drawninfoinspector.\com & sketchdataanalytics.\com
3⃣PLM3ZJ28 -> NF7Z75PB -> chelyad.\icu (formerly gooliststyle.\icu)
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
5
12
2,050
Update: we dug deeper and the script appears to be legitimate (not #magecart), but severely misconfigured.
The script (Seems to be from Triplewhale) is meant to help sites validate users via phone numbers and other telemetry. However, because the site defined the credit card field as type="tel" (for mobile UX), the script unintentionally captured and sent credit card data to api.config-security.\com.
This is very bad configuration, but it does not appear malicious.
And yes, sorry for the “marketing” angle, but this is exactly why you need controls that define precisely what data is allowed to leave the browser. CSP or detection-only approaches would not have prevented this.
Accidental, not malicious — still a real client-side data exposure.
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
1
2
484
Special report: #Magecart - one year later.
Our year-long study of 653 sites shows:
🔹1 in 6 remain infected after 12 months
🔹57% are re-exploited via new attack paths
🔹16% of compromised sites are offline
Cleanup ≠ recovery.
👉 sourcedefense.com/resources/…
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
1
3
462
Great find @libthoughts.
Source Defense Research can confirm the domain api.config-security.\com listens and sends PCI & PII data.
Our researchers continue looking into this case.
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity #magecart
2
2
4
505
A dynamic & resilient #Magecart infrastructure was found:
• Loaded via GTM-5QGGLMHR
• Performs DNS-over-HTTPS TXT lookup via cloudflare-dns.com for clickgator.\info
• TXT response returns a C2 WebSocket endpoint adsbridge.\fun, which is then opened
• AES-GCM 256-bit key exchange performed over the socket
• A second WebSocket is opened to adsbridge.\site or adsbridge.\space to retrieve the Magecart JS
• Based on the site’s PSP, it replaces the #payment form or performs silent skimming
• Stolen payment data is encrypted and exfiltrated via WebSocket to clickopath.\info
This represents a new generation of Magecart: infrastructural, dynamic, hidden and stable.
#eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity
2
15
1,191