This threat involves a Magecart malware campaign that injects malicious JavaScript via legitimate-looking Google Tag Manager containers on e-commerce checkout pages. The malware captures sensitive payment information (credit card details, billing info) and stores it by creating fake customer records in Stripe's API metadata fields, exploiting the trust online stores place in Stripe and Google Tag Manager domains. The stolen data is obfuscated and stored locally before being exfiltrated to Stripe, with traces wiped after upload. A variant uses Google Firestore as an alternative storage backend. The attack targets Magento/Adobe Commerce platforms and bypasses Content Security Policy and network filters by using trusted domains.

The campaign enables attackers to steal sensitive payment card and customer data from e-commerce checkout pages and store it covertly within Stripe customer records or Google Firestore documents. This compromises customer financial information and personal data, potentially leading to fraud and financial loss. The use of trusted domains allows the malware to evade common security controls, increasing the risk of undetected data theft.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the attack relies on malicious Google Tag Manager containers and abuse of trusted domains, mitigation should focus on auditing and restricting GTM container usage, monitoring for unauthorized changes, and validating third-party scripts. Customers can reduce risk by using one-time virtual cards with spending limits. Security teams should verify Content Security Policy configurations and network filters to detect anomalous traffic to Stripe or Firestore related to customer metadata. No official fix or patch is indicated in the available data.