{ "id": "65882fd8-b92a-4072-a8cd-b44f2b4d80a9", "created_at": "2026-04-06T00:08:44.328922Z", "updated_at": "2026-04-10T13:11:45.802096Z", "deleted_at": null, "sha1_hash": "a40ff89c2c82c824c8adac234c07ca918aa8e2b5", "title": "GitHub hosted Magecart skimmer used against hundreds of e-commerce sites | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 281431, "plain_text": "GitHub hosted Magecart skimmer used against hundreds of e-commerce sites | Malwarebytes Labs\r\nBy Jérôme Segura\r\nPublished: 2019-04-25 · Archived: 2026-04-05 16:21:46 UTC\r\nEvery day, new e-commerce websites fall into the hands of one of the many Magecart skimmers. Unbeknownst to\r\nshoppers, criminals are harvesting their personal information, including payment details in the online equivalent\r\nof ATM card skimming.\r\nMost often the skimming code—written in JavaScript and obfuscated—is hosted on infrastructure controlled by\r\nattackers. Over time, they have created thousands of domain names mimicking Magento, the CMS platform that is\r\nby far most targeted.\r\nHowever, as we sometimes see in other types of compromises, threat actors can also abuse the resources of\r\nlegitimate providers, such as code repository GitHub, acquired by Microsoft last year.\r\nThis latest skimmer is a hex-encoded piece of JavaScript code that was uploaded to GitHub on April 20 by user\r\nmomo33333, who, as it happens, had just joined the platform on that day as well.\r\nhttps://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/\r\nPage 1 of 4\n\nIn the above and below screenshots, you can see that the threat actor was fine tuning the skimmer, after having\r\ndone a few tests:\r\nJust like with any other kind of third-party plugins, compromised Magento sites are loading this script within their\r\nsource code, right after the CDATA script and/or right before the tag:\r\nhttps://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/\r\nPage 2 of 4\n\nAccording to a search on urlscan.io, there are currently over 200 sites that have been injected with this skimmer:\r\nA look at the deobfuscated script reveals the exfiltration domain (jquerylol[.]ru) where the stolen data will be sent\r\nto:\r\nhttps://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/\r\nPage 3 of 4\n\nIt’s worth noting that the compromised Magento sites will remain at risk, even if the GitHub-hosted skimmer is\r\ntaken down. Indeed, attackers can easily re-infect them in the same manner they initially injected the first one.\r\nIt is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure\r\nauthentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk\r\nfor online shoppers.\r\nWe reported the fraudulent GitHub account which was quickly taken down. We are also protecting our users by\r\nblocking the exfiltration domain.\r\nSource: https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/\r\nhttps://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/\r\nPage 4 of 4\n\n https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/ \nAccording to a search on urlscan.io, there are currently over 200 sites that have been injected with this skimmer:\nA look at the deobfuscated script reveals the exfiltration domain (jquerylol[.]ru) where the stolen data will be sent\nto: \n Page 3 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/" ], "report_names": [ "github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434124, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a40ff89c2c82c824c8adac234c07ca918aa8e2b5.pdf", "text": "https://archive.orkl.eu/a40ff89c2c82c824c8adac234c07ca918aa8e2b5.txt", "img": "https://archive.orkl.eu/a40ff89c2c82c824c8adac234c07ca918aa8e2b5.jpg" } }