In 2026, a sophisticated web-skimming campaign that targets online buyers surfaced with increased vigor, hacking e-commerce websites and obtaining private financial data during checkout procedures.

The attack poses a growing danger to online retail security and has been identified as a member of the larger Magecart family of attacks.

This long-running effort, which has been active since at least early 2022, includes a substantial infrastructure that threat researchers have uncovered.

Millions of consumers worldwide may be impacted by the fraudulent network, which targets major payment companies like American Express, Diners Club, Discover, Mastercard, JCB, and UnionPay.

JavaScript injection, in which malicious code inserts itself into trustworthy e-commerce websites without raising obvious security signals, is how the attack works.

After being injected, the code doesn’t do anything until users get to the checkout page, at which point it starts its payload that steals credentials.

To remain persistent and evade detection, the infrastructure depends on hacked domains and impenetrable hosting companies.

Researchers and Silent Push analysts observed that the attackers had a deep understanding of WordPress’s internal workings, utilizing obscure functionality like the wp_enqueue_scripts action hooks to incorporate malicious scripts into the rendering of websites.

The malware’s ability to provide a plausible front during the payment procedure is what makes it technically sophisticated.

To ensure ongoing observation of the payment form environment, the skimmer creates a MutationObserver to track changes to the webpage in real-time.

The real Stripe payment form is then concealed, and a nearly identical fake form that collects card numbers, expiration dates, CVV codes, and billing details is injected.

In order to reinforce validity for victims, the fraudulent form incorporates brand detection logic that identifies card kinds and presents matching brand graphics. Payment details are not the only information gathered during the data gathering procedure. Every input box on the checkout page is monitored by the spyware, which gathers email addresses, names, and addresses.

After victims fill out the form and press the Place Order button, the skimmer gathers all of the information into a structured object, encrypts it in Base64 format using XOR encryption and a hardcoded key of 777.

After that, the encrypted payload is sent to exfiltration servers on compromised infrastructure via an HTTP POST request.

By displaying payment issues after the form is submitted, the attack takes advantage of human psychology to trick victims into thinking they entered the wrong information.