THREE TIMES A CHARM: ESKIMMING ABUSES TRUSTED CODEPEN AGAIN TO STEAL CREDIT CARDS
Over the past year, our research into web eSkimming has repeatedly surfaced two worrying patterns: first, attackers are steadily shifting from shady, obviously malicious infrastructure to trusted, high-reputation services; second, follow-up investigations a full year after an initial breach often show that sites compromised once are more likely to be compromised again.
Now, our investigation team has uncovered a new campaign that abuses CodePen: the third distinct attack we’ve seen this past year leveraging this trusted developer platform to support credit card skimming activity.
By quietly embedding malicious loaders into assets delivered from high-reputation domains, attackers can blend into normal web traffic, circle back to previously exposed merchants, and steal payment data directly from the browser, while traditional perimeter-focused defenses struggle to distinguish these attacks from legitimate functionality.
Attack details
In the first of the CodePen-related campaigns that we identified – a large-scale incident in April 2025 – attackers set up a malicious asset on CodePen and then caused compromised e-commerce sites to load the skimming script directly from CodePen’s asset path, making it appear like any other legitimate front-end helper. That loader was then paired with convincingly named external domains posing as security tools, and used to capture credit card and checkout information from dozens of online stores, including roughly ten high-traffic UK fast-food websites.
In January 2026, the second eSkimming variant leveraging CodePen to host the skimming logic was observed, targeting a major Canadian hardware and electronics retailer. This repeat use of CodePen confirmed that the earlier activity was not a one-off but a reusable tactic: register a free account, upload a “harmless” script, get a CDN-backed URL on a trusted domain, and wire it into compromised checkout pages as if it were just another analytics or UX enhancement.
Now, in February 2026, a third, more advanced iteration has appeared, once again loading the malicious JavaScript from CodePen but changing how stolen data is sent out of the browser. Instead of relying on standard HTTP form posts, the script opened a WebSocket connection to an attacker-controlled domain and streamed data in real time, making the traffic look more like ongoing, legitimate browser communication.
Across all three incidents, the common thread was the strategic abuse of a high-reputation developer platform that most organizations are reluctant to block at the domain level, making these eSkimming operations extremely difficult to distinguish from normal traffic and allowing attackers to harvest card data during peak checkout periods with little chance of being noticed in time.
How Source Defense protects you
Source Defense is designed with the assumption that even “trusted” domains and SaaS platforms can be turned into eSkimming delivery channels, and applies a zero-trust, policy-based model to third-party JavaScript like these CodePen-hosted loaders. When a script running in the browser attempts to interact with sensitive checkout fields, Source Defense can enforce controls that strictly govern access to PCI data so that only approved behaviors are allowed while suspicious attempts to read or harvest payment information are blocked.
If a script then tries to move data off the page – whether through traditional HTTP mechanisms or newer channels such as WebSocket messages – Source Defense detects and flags that behavior in real time and enforces policies that keep sensitive information from being exposed, before they can do damage.
By inserting itself between third-party scripts and the underlying page, Source Defense lets organizations keep the convenience of platforms like CodePen and other developer tools while stripping away the attackers’ ability to quietly repurpose them into eSkimming infrastructure.
How Source Defense alerts you
Alongside enforcement, Source Defense continuously monitors script behavior and surfaces clear, actionable alerts whenever activity begins to resemble an eSkimming or Magecart-style attack, whether the affected code is first- or third-party and whether you’re using the detect only or full protect product.
If a CodePen-served script starts touching payment form fields, you’ll see alerts for behaviors such as “Accessing PCI data,” and if it attempts to send information to an external service—over WebSockets or other channels—you’ll also see “Transferring data” events tied to the specific script and destination domain. Additionally, the alert “Sending data to blacklisted domain” would also be triggered in this case. These alerts appear in the bell notification center and are summarized on the main dashboard, with more details available on the Scripts page for a deeper view of what the code attempted to do in the browser..
For faster response and integration into existing workflows, the same alerts can also be delivered via email and/or webhook into your SIEM, SOAR, or ticketing system, giving your team immediate visibility into emerging client-side threats.
Key takeaways
These three CodePen incidents underscore why client-side security – and specifically a zero-trust approach to third-party JavaScript – is now essential for protecting modern e-commerce from eSkimming.
Traditional controls like WAFs, CSP, SRI, and server-side logging focus on the network edge or backend systems and are inclined to trust high-reputation SaaS domains, leaving a blind spot in the browser where these attacks actually execute and where payment data is entered.
By providing real-time control and visibility over what scripts do on the checkout page – what data they touch and when they try to send it elsewhere – Source Defense helps organizations stay ahead of attackers who are increasingly weaponizing legitimate developer platforms. The business impact is straightforward: fewer stolen cards, reduced risk of PCI violations and brand damage, and higher confidence that even when attackers hide behind “trusted” services, your shoppers and your revenue remain protected.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.