Threat intelligence

Magecart Skimmers: How Card-Stealing Malware Hides in Magento Checkouts

By W3ctrl Services · June 5, 2026

If your Magento store processes payments, there's a class of malware built specifically to rob you: Magecart. It's not a single group — it's a tactic used by dozens of criminal crews, and it's responsible for millions of stolen credit cards.

What is a Magecart skimmer?

A Magecart skimmer is a small piece of malicious JavaScript injected into your store's pages — usually the checkout. When a customer types their card details, the skimmer quietly copies them and sends a copy to the attacker's server. The transaction completes normally, so nobody notices.

Why they're so hard to spot

Skimmers are designed for stealth: obfuscated code, fake "analytics" domains, payloads that only run on the checkout page, and exfiltration disguised as ordinary web traffic. Many merchants only discover a skimmer after their payment processor flags fraud — weeks later.

How they get in

• An unpatched Magento CVE (e.g. CosmicSting → stolen keys → admin access)
• A vulnerable or pirated third-party extension
• Compromised admin credentials
• A backdoor left from a previous hack

How to detect a skimmer

Start with a free external scan at MageArgus — it checks your storefront for known skimmer indicators and suspicious external scripts. For complete coverage including database-resident skimmers, the MageArgus module scans your files and database from the inside.

How to remove one — and keep it out

1. Remove the injected script and any unknown JavaScript
2. Find and close the entry point (patch the CVE / remove the bad extension)
3. Rotate all admin credentials and encryption keys
4. Add a Content-Security-Policy to lock down which scripts run on payment pages
5. Monitor continuously so re-infection is caught immediately

Removing the skimmer without closing the entry point just invites it back. If you're not certain you've found the root cause, W3ctrl does Magento malware removal and hardening.