Magecart skimmer turns Stripe into a malware command server
Summary
Sansec reports on a Magecart campaign that uses a Stripe customer’s metadata as a payload store and Stripe as a command server. The loader runs via GTM containers, harvests checkout data, and exfiltrates through Stripe (or Firestore) endpoints, with IOCs and practical defender recommendations.