Magecart Skimmers Turn Stripe Into a Perfectly Camouflaged Command-and-Control Server

The campaign chains together three stages, each abusing a legitimate service to avoid detection .

Stage 1: Inject the loader through Google Tag Manager

Attackers first compromise a Google Tag Manager container on the target store. They insert a malicious tag that loads on every page. Because the script originates from googletagmanager.com, a trusted analytics domain, it bypasses typical Content Security Policies and ad-blockers without raising alarms . GTM becomes the unblockable delivery mechanism.

Stage 2: Fetch the skimmer from Stripe’s API

Instead of calling out to a sketchy third-party server, the GTM tag requests the skimmer payload from api.stripe.com. The attackers store the full JavaScript skimmer inside a Customer metadata field on their own Stripe account, using a test-mode secret key (sk_test_...) to write and retrieve it . The skimmer arrives from a domain that store operators trust implicitly as part of their payment stack, so network monitoring and CSP rules rarely flag the API call.

Stage 3: Exfiltrate stolen data back to the same Stripe account

When a shopper enters credit card details, personal information, and billing addresses at checkout, the injected skimmer captures the data and sends it back to the attackers’ Stripe account. It writes the information as fake Customer records or metadata entries using the same Stripe API . Because the exfiltration traffic routes right back to api.stripe.com, it blends in perfectly with legitimate payment API calls, making the theft essentially invisible to firewall logs and anomaly detection tools .

The entire operation has been active since at least December 24, 2025, according to the indicators seen by researchers .

Why test-mode secret keys are so dangerous here

Stripe’s test-mode secret keys (sk_test_...) grant full read and write access within the sandbox environment and allow unlimited creation of fake customers and metadata fields at no cost . Because test keys never trigger real charges, their abuse is easy to overlook. The attackers rely on the fact that many organizations treat test keys as low-risk and fail to audit sandbox activity with the same rigor they apply to live traffic.

A related but separate threat is the exposure of live secret keys, which would give an attacker direct access to real transactional data and the ability to issue refunds or transfer funds . While this campaign uses test-mode keys for stealth, the underlying principle is the same: Stripe API keys, in any mode, are powerful credentials that should never appear in client-side code or Google Tag Manager containers .

CVE-2026-3300: Critical RCE in Everest Forms Pro

While the Stripe campaign targets ecommerce checkout flows, WordPress site owners face an equally urgent threat from a plugin vulnerability that has been actively exploited since April 13, 2026 .

CVE-2026-3300 is an unauthenticated remote code execution flaw in the Everest Forms Pro plugin, which has roughly 4,000 active installations . The vulnerability scores 9.8 on the CVSS scale and affects all versions up to and including 1.9.12 .

The bug resides in the process_filter() function inside the Calculation add-on. When the "Complex Calculation" feature is enabled, the plugin takes user-supplied values from string-type form fields, concatenates them directly into a PHP code string, and passes the result to eval() without proper escaping . The sanitize_text_field() function applied to the input does not neutralize single quotes or other characters that have special meaning in a PHP code context, allowing an attacker to break out of the intended string and inject arbitrary commands .

Wordfence has blocked over 29,300 exploit attempts and reports that attackers are deploying unauthorized administrator accounts as part of the post-exploitation process . Site owners should look for indicators of compromise such as new admin users with unexpected names, unusual files on the server, or suspicious outbound connections .

Defensive measures for both threats

Block the Stripe Magecart attack chain

• Lock down Google Tag Manager. Restrict GTM containers to only approved, audited tags and require strict change-management approval before publishing .
• Tighten your Content Security Policy. Do not list api.stripe.com as a script-src unless it is strictly necessary. If you must include it, enforce sub-resource integrity (SRI) hashes. Blocking inline scripts provides another layer of defense .
• Audit Stripe sandbox activity. Monitor your Stripe dashboard for unusual volumes of Customer object creation or metadata writes under test-mode keys. Treat sandbox anomalies with the same seriousness as live-mode anomalies.
• Rotate and protect API keys. Never embed Stripe secret keys — test or live — in client-side JavaScript, GTM variables, or public repositories . Rotate any key that may have been exposed .
• Deploy client-side monitoring. Use browser-side integrity checks that detect DOM manipulation on checkout pages by unauthorized scripts .

Patch the Everest Forms Pro vulnerability

• Update immediately. Upgrade to Everest Forms Pro version 1.9.13 or later, which contains the fix .
• Disable the risky feature if patching is delayed. As a temporary workaround, turn off the "Complex Calculation" feature in the plugin settings to prevent exploitation through unescaped eval() input .
• Scan for signs of compromise. Look for unknown admin accounts, unexpected files, suspicious eval() calls, and outbound network connections to unfamiliar IPs. A full WordPress integrity check on core, theme, and plugin file checksums is essential after remediation .