A new magecart-style attack has raised concerns across cybersecurity environments targeting ecommerce websites which utilize the OpenCart Content Management System (CMS).

OpenCart itself is a popular open-source eCommerce platform, which essentially functions as a CMS specifically designed for managing online stores. It allows users to manage products, track orders, handle customer relationships, and more, all within a user-friendly dashboard. 

The attackers injected malicious JavaScript into landing pages, cleverly hiding their payload among legitimate analytics and marketing tags such as Meta Pixel, and Google Tag Manager.

Experts from c/side, a cybersecurity firm that monitors third-party scripts and web assets to detect and prevent client-side attacks, says the injected code resembles a standard tag snippet, but its behavior tells a different story.

Obfuscation techniques and script injection

This particular campaign disguises its malicious intent by encoding payload URLs using Base64 and routing traffic through suspicious domains such as /tagscart.shop/cdn/analytics.min.js, making it harder to detect in transit.

At first, it appears to be a standard Google Analytics or Tag Manager script, but closer inspection reveals otherwise. When decoded and executed, the script dynamically creates a new element, inserts it before existing scripts, and silently launches additional code.

The malware then executes heavily obfuscated code, using techniques such as hexadecimal references, array recombination, and the eval() function for dynamic decoding. The key function of this script is to inject a fake credit card form during checkout, styled to appear legitimate.

Once rendered, the form captures input across the credit card number, expiration date, and Card Verification Code (CVC). Listeners are attached to blur, keydown, and paste events, ensuring that user input is captured at every stage.

The attack doesn’t rely on clipboard scraping, and users are forced to manually input card details. Clipboard scraping, also known as clipboard hijacking, refers to the malicious practice of accessing and potentially modifying data that a user has copied to their clipboard. This is often achieved through malware that monitors clipboard activity, allowing attackers to steal sensitive information like passwords, cryptocurrency wallet addresses, or other personal data. 

After this, data is immediately exfiltrated via POST requests to two command-and-control (C2) domains: //ultracart[.]shop/g.php and //hxjet.pics/g.php. In addition to this, the original payment form is hidden once the card information is submitted – a second page then prompts users to enter further bank transaction details.

“Exfiltrated via POST” refers to the act of stealing or transferring data out of a system using the HTTP POST method. This method removes sensitive data has been secretly taken from a system by sending it as part of an HTTP POST request to an attacker’s server. This method allows attackers to bypass some security measures by appearing to be normal web traffic. 

What stands out in this case is the unusually long delay in using the stolen card data, which took several months instead of the typical few days.

The report reveals that one card was used on June 18 in a pay-by-phone transaction from the US, while another was charged €47.80 to an unidentified vendor.

This breach shows a growing risk in Software as a Service or SaaS-based e-commerce, where CMS platforms like OpenCart become soft targets for advanced malware. As a result, there is a need for stronger security measures beyond basic firewalls.

Automated platforms like c/side claim to detect threats by spotting obfuscated JavaScript, unauthorized form injections, and anomalous script behavior. As attackers expand, real-time monitoring and threat intelligence should no longer be optional for ecommerce vendors seeking to secure their customers’ trust.