When Your Trusted Vendor Becomes the Threat
A major Magecart attack is silently unfolding across the UK’s fast-food sector—and the root cause is a trusted vendor.
The Source Defense Research Team has uncovered a widespread skimming campaign affecting over 65 fast-food websites developed by a popular online food ordering platform, a UK-based web development firm for hospitality.
You Didn’t Get Hacked—Your Vendor Did
The attacker didn’t breach dozens of websites. They only needed one entry point: a shared site template.
By injecting malicious code into a single template file used across the service provider’s customer base, the threat actor was able to infect dozens of production sites, each harvesting real customer payment data without detection.
Attack details
The breach originated from a single site template reused across multiple websites. Injecting malicious code into a first-party JavaScript file embedded in the template enabled the attacker to scale the infection across dozens of live environments—all silently skimming customer payment data.
At the core of this attack is a known vulnerability in Magento, dubbed CosmicSting. Previously linked to other skimming campaigns and covered in our post Critical Security Update for Adobe Commerce (Magento) Users this vulnerability (CVE-2024-34102) allows unauthorized access to private server files—making it an ideal entry point for compromising shared web components.
The infected asset, A first-party file:
/Global_Theme/js/flickity.pkgd.min.js
This file now opens a WebSocket connection to clearnetfab[.]net—a domain flagged as malicious on VirusTotal—then receives a Magecart payload. This payload monitors legitimate payment forms and exfiltrates sensitive data over the same WebSocket channel.
Key Findings
- Scale and propagation via shared asset: This is a textbook example of Magecart at scale. One compromised file—used in a template shared across dozens of websites—enabled a rapid, silent spread of the infection. Each site remained functional while leaking payment data in real time.
- First-party file infection: The malicious code resides in a same-origin, trusted file—not a third-party dependency—bypassing many traditional defenses including CSP.
- WebSocket-based exfiltration: A stealthy and increasingly common technique that avoids detection by tools monitoring standard HTTP traffic.
- No UI changes: The attack is completely silent. It doesn’t inject fake forms or alter the page visually—making it harder for users and admins to detect. Outbound data is sent to blacklisted malicious domains.
How Source Defense Protects You
Our technology is built for precisely this kind of scenario:
Behavioral detection identifies anomalies in trusted scripts, even first-party ones.
WebSocket traffic is monitored and blocked when malicious behavior is detected.
Why It Matters
This isn’t just a Magecart attack—it’s a reminder that supply chain risks are real.
One shared asset was enough to compromise dozens of trusted sites.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.