Cybercriminals Exploit Stripe, Google Tag Manager in Global Payment Data Theft
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (AP) — A new wave of credit card theft campaigns is targeting online merchants by exploiting vulnerabilities in widely used payment and analytics infrastructure, specifically abusing Stripe's API and Google Tag Manager to exfiltrate sensitive customer data.
The attack, identified on June 4, 2026, marks a significant evolution in the tactics used by the Magecart group of cybercriminals. Instead of directly compromising merchant websites, the actors are injecting malicious code into the checkout processes of e-commerce stores. This code captures credit card numbers and payment details as customers enter them, sending the stolen information to servers controlled by the attackers.
Security researchers have determined that the campaign leverages Google Tag Manager, a popular tool for managing website analytics tags, to host the malicious scripts. By compromising the tag manager accounts or injecting code into the tag configurations, attackers can deploy the skimming scripts across multiple websites without needing to breach the underlying e-commerce platforms directly. The stolen data is then routed through Stripe's API infrastructure, allowing the attackers to mask the exfiltration traffic as legitimate payment processing requests.
The scope of the campaign appears to be global, affecting online stores that utilize both Stripe for payment processing and Google Tag Manager for website analytics. The attack vector bypasses traditional security measures by operating within the trusted infrastructure of these major technology providers. Because the malicious code is executed within the context of legitimate services, it is difficult for standard web application firewalls to distinguish between normal traffic and the data theft.
Stripe and Google have not yet issued public statements regarding the specific nature of the compromise or the number of affected merchants. The attack highlights the growing risks associated with third-party integrations in the digital supply chain. As e-commerce platforms increasingly rely on external tools for analytics and payment processing, the attack surface expands, providing more opportunities for cybercriminals to intercept sensitive financial information.
The Magecart group has a history of targeting online retailers, with previous campaigns resulting in the theft of millions of credit card numbers. This latest iteration demonstrates a shift toward abusing the infrastructure of trusted service providers to facilitate data exfiltration. The use of Google Tag Manager and Stripe's API suggests a sophisticated understanding of how these platforms function and how to manipulate them for malicious purposes.
Merchants are advised to audit their third-party integrations and monitor for unauthorized changes to their tag manager configurations. Security experts recommend implementing strict access controls and regularly reviewing the scripts and tags deployed on checkout pages. The full extent of the data breach and the number of compromised customer records remains unclear as investigators continue to assess the impact of the campaign.
The incident raises questions about the security practices of major technology providers and the responsibility of merchants to secure their digital supply chains. As the investigation continues, it remains to be seen whether Stripe and Google will implement additional safeguards to prevent similar abuses of their infrastructure in the future.