#Magecart alert Hidden img ng-on-error reused a CSP nonce to load npm.clickcdn01[.]net, opened WebRTC to 85.17.55[.]137, injected a pixel-perfect fake @2c2p #payment form, and exfiltrated card data over WebRTC. #DataBreach #PCIDSS #ClientSideSecurity #WebSkimming #eSkimming #FormJacking

#Magecart attacks continue to use WebRTC for bypassing CSP entirely. Most attacks are injected as 1st-party inline JS. One variant is loaded from a compromised German Magento #ecommerce abused as a malware host. C2 infra: 178.16.53.\219 45.158.127.\28 38.87.117.\12 #DataBreach #PCIDSS #clientsidesecurity #WebSkimming #eSkimming #FormJacking

#CyberWhisper #CyberSecurity #FormJacking

#CyberWhisper #CyberSecurity #FormJacking

🚨 CYBER INTELLIGENCE ALERT: WEB EXPLOIT INJECTION AND NEOLINK DECONFIGURATION — GUATEMALA 🇬🇹 [STATUS: UNDER SUPERVISION] The threat actor, fully identified under the alias NemorisHacking, has perpetrated a web exploit injection attack. The actor indicates that they compromised and visually defaced transactional instances of the NeoLink/NeoNet payment gateway infrastructure in Guatemala (.gt). The incident directly affects active transactional links, exposing critical weaknesses in the sanitization of website entry points. According to the evidence collected, the attack replaced the legitimate card payment form with a custom panel titled "The Mirror of Your Shadow," with explicit text attributing the compromise to the attacker. 🏢 Affected Entity: Infrastructure associated with NeoLink/NeoNet Guatemala (Payment Gateway) 👤 Threat Actor: NemorisHacking ⚔️ Attack Vector: Web Exploit Injection / Active Link Defacement ⚠️ CRITICAL RISK ANALYSIS AND EXPOSED FIELDS The presence of code injections on payment processing platforms represents an imminent risk of large-scale financial fraud: 💳 Phishing and Formjacking Risk: The attacker demonstrates the ability to inject HTML elements into high-trust domains (pay.neolink.com.gt). This facilitates the cloning of critical fields such as "Card Number", "MM/YY", and "CVV" for the silent exfiltration of banking data (Magecart style) before redirecting the user. 🛑 Payment Chain Disruption: By altering the legitimate transaction interface, secure fund collection for affiliated merchants that rely on that link ID is completely disabled. 🛡️ MITIGATION AND PREVENTIVE TECHNICAL RECOMMENDATIONS 🚫 Link Isolation and Deactivation: NeoLink platform administrators are urged to immediately revoke and disable the token/ID of the compromised link to stop the deployment of malicious code. 💻 Code Injection Audit (Web App Audit): Thoroughly review server-side variable validation mechanisms in payment link generation routes to block the injection of HTML/JS payloads. 📊 MONITORING AND EVALUATION Intelligence System: analyzer.vecert.io Quickly assess your website's security with: monitor.vecert.io #CyberSecurity #Guatemala #NeoNet #NeoLink #WebExploit #Defacement #NemorisHacking #FinancialThreats #ThreatIntelligence #CyberAlert #VECERT #Infosec

Again, a #Magecart attack abusing @Google services. The attack starts via malicious GTM containers, which fetch skimmer payloads from Firestore. The skimmer harvests #payment & PII data to localStorage. The data is exfiltrated by the GTM back to Firestore. GTM IDs: - P488GV4L - NHD6TPNH - WHMCNDCS - WVTX28GJ #eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity

The dynamic DoH #Magecart group just upgraded their evasion game. Caught a new variant via GTM-PLBTGD25: • DoH lookup on cloudflare-dns.com for `jartrack.\com` • Decoupled stack traces via fake CDN (`fastcdnjs.\net`) • Camouflaged as a Canvas Defender decoy • Exfil over `crmcom.\org` My original thread on this group: x.com/sdcyberresearch/status… #eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity

🚨 🇪🇨 CYBER THREAT ALERT: POTENTIAL SERVER COMPROMISE – SOMOS BDA (BANCO DEL AUSTRO) ⚠️ DETECTION OF SUSPICIOUS FILE UPLOADS AND POTENTIAL BACKDOOR [STATUS: EMERGING THREAT / UNCONFIRMED] Activity has been detected from the group BROTHEROOD CAPUNG (BCI) targeting the domain somosbda.ec, a platform associated with employees and collaborators of Banco del Austro in Ecuador. Evidence suggests that the attackers have successfully breached the server's upload directory. 🎯 Affected Institution: Somos BDA / Banco del Austro. 👤 Threat Actors: BROTHEROOD CAPUNG (BCI). 📅 Detection Date: May 14, 2026. 📊 ACTIVITY ANALYSIS (UNCONFIRMED) The incident presents indicators of a compromise involving the upload of unauthorized files: 🧩 Shell/Backdoor Upload: A URL has been identified pointing to a file with an apparently executable extension located within the /uploads/ directory. Although definitive technical confirmation is pending, the phrase "Shel nya ampas" used by the actor suggests the successful deployment of a Web Shell or Backdoor to maintain persistence. 🔓 Credential Risk: The affected page is a login portal ("Log In - Somos BDA"). A backdoor in this location could be used to intercept credentials belonging to bank employees and collaborators (Internal Phishing or Formjacking). 🛡️ MITIGATION AND RECOMMENDATIONS 🛑 Directory Isolation: It is recommended to immediately restrict access to—and script execution within—the /uploads/ directory on the affected server. ⚠️ File Audit: Conduct a thorough inspection of recently uploaded files to identify and remove any Web Shells or malicious code. ⚡ MONITORING 🌐 Monitoring System: analyzer.vecert.io #CyberSecurity #BancoDelAustro #SomosBDA #Backdoor #WebShell #Ecuador #CyberAlert #VECERT #BCI #DataBreach

#Magecart Alert: a skimmer found on US major automotive brands' merchandise sites. By hiding inside Google Tag Manager and using @googleanalytics as an exfiltration proxy, the attackers effectively bypassed CSP. If you’ve shopped for car gear since Jan 2026, your data may be at risk. GTM ID: GTM-MX8L362L GA4 ID: G-7DTFFTL7Y8 #eSkimming #CyberSecurity #InfoSec #PCIDSS #formjacking

I was expecting that the two #magecart attacks on the same page would be synchronized😉 Two fake #payment forms in parallel, even though the real flow redirects to an external provider. 1⃣1st-party script exfiltrates to cindt.\org 2⃣GTM-56QRKWQD -> GTM-NF7Z75PB -> WebSocket to plesclist.\icu #eSkimming #CyberSecurity #InfoSec #PCIDSS #formjacking

🚨 New #magecart attack abusing @GoogleCloud Firestore @Braintree sandbox APIs (@PayPal). No balcklisted domains or suspicious network, only legit services. 1️⃣ Compromised @GoogleTagManager tag pulls collector from Firestore 2️⃣ Stolen #payment data XOR-encoded staged in localStorage 3️⃣ Exfiltrated via fake Braintree GraphQL CreateCustomer mutations Hides as legit PSP traffic to payments.sandbox.braintree-a… #eSkimming #CyberSecurity #InfoSec #PCIDSS #formjacking #LivingOffTheLand

🚨 #MAGECART ALERT! Attackers are abusing GTM (WFWB2J6F) to bypass CSP and security systems! Method: 1️⃣ Triple-Nested Iframe Chain 2️⃣ Path traversal to "no-CSP" 400 errors 3️⃣ `setAttribute` "src" injection to hide from monitors Exfiltrating to: static17-jquery./com #eSkimming #CyberSecurity #InfoSec #PCIDSS #formjacking

A #magecart skimmer was found as part of the code of the Google Tag Manager ID=GMT-55HLHFV9. The stolen #payment data exfiltrates to ginsongtech.\net #eSkimming #CyberSecurity #InfoSec #PCIDSS #formjacking

#Magecart attack from ftp-opencart.\com targets @PayPal checkouts only. Victim clicks PayPal → fake loading screen → pixel-perfect fake PayPal form steals full card billing. This domain was first found in Dec 2025 x.com/sdcyberresearch/status…. Same ghost, new disguise. #eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity

A ghost #Magecart code was found on several sites using a major #ecommerce platform. The attack has been active since 2021, a 5-year persistence! As the platform upgraded its @Stripe & @Square integrations, the HTML elements the attack targeted became obsolete. The code haunted the sites as "ghost code" until our report led to its removal. #eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity

Google Tag Manager continues to be abused by #magecart attacks: TKMN7B96 -> phppackageeuro.\com NMNKZP2 -> cloudflare-static12.\com PZMLXR7K -> chatliveapp.\com TWNZ39CT -> zip-check.\online WJTZFHFG -> cdn-cloudauth.\net #eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity

A sophisticated #magecart campaign fakes @stripe and @Square payment forms using a 3-stage kill chain: 1⃣Injected <style onload> attributes execute the loader. 2⃣Malicious JS is hidden in the trailing bytes of legitimate site images, hosted on the victim's domain. 3⃣Stolen card data is tunneled out via real-time WebSockets. Domains: path-bootstrapcdn.\com cdnjs-cloud.\com leads-zdassets.\com #eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity

🚨 New #Magecart campaign: GTM-WJS5XR6W hijacked as loader → fake Bolt & Saferpay overlays → card data out via WebSocket image steganography. 13 C2s across chatliveplus[.]com, livechatlite[.]com, eventchatsupport[.]com. #eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity

@CodePen Abused again A #magecart loader is stored in the path assets.codepen.\io/14553950/communityhelper_pro_help.js opens a webSocket to the known malicious domain communityhelper.\store We reported the abuse to CodePen #eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity

@CodePen abused again. A #magecart attack stored in the path https://assets.codepen.\io/14553950/communityhelper_pro_help.js The code opens a websocket to the known malicious domain: communityhelper.\store We reported CodePen about the abuse. #eSkimming #WebSkimming #FormJacking #PCIDSS #clientsidesecurity