Magecart family runs its skimmer out of Stripe — payload in customer metadata, stolen cards exfiltrated back through api.stripe.com

Sansec's forensics team documented a card-skimming family that routes both payload delivery and exfiltration entirely through Stripe's legitimate API (Sansec, 2026-06-04). The actor creates a Stripe customer object and stores the skimmer JavaScript in that customer's metadata fields; at checkout the skimmer is fetched from api.stripe.com, captures full card number, CVV, expiry and billing address, then writes the stolen data back to Stripe by creating new fake customer records — so both inbound payload and outbound theft look like ordinary Stripe API traffic (BleepingComputer, 2026-06-04). The entry point is a malicious Google Tag Manager (GTM) container injected into checkout pages of Magento / Adobe Commerce stores; the skimmer-hosting Stripe customer record was created 2025-12-24, indicating a campaign running since at least late 2025. Maps to T1059.007 (JavaScript) and T1071.001 (Application Layer Protocol: Web). Why it matters to us: api.stripe.com is universally allow-listed in CSP script-src/connect-src and WAF egress rules on payment sites, so the standard "block unknown exfil endpoints" control is blind to this. Detection has to move server-side: inventory GTM container IDs against an approved list, alert on Stripe customer-creation events that don't map to real orders, inspect customer-metadata fields for encoded JavaScript, and run file-integrity monitoring on checkout-page tag configuration rather than relying on browser-side CSP.