Feedify push script injected Magecart
Magecart compromised Feedify's hosted push-notification JavaScript. Customer sites loading the Feedify library also loaded a card skimmer into checkout pages.
Story
Feedify sold hosted push-notification and engagement scripts to ecommerce sites. Customers embedded Feedify JavaScript, then trusted Feedify's servers to supply live code into their pages. That trust made the service a useful Magecart target.
RiskIQ and Sucuri reported that attackers altered Feedify's hosted JavaScript so customer sites loaded skimming code from the third-party service path. The compromise mattered because the code executed in shoppers' browsers, inside the same page context where names, addresses, and card data were typed.
RiskIQ said it had observed the compromise beginning on August 17, 2018, and that attackers may have had access for nearly a month. Public reporting later tied the incident to Feedify's advertised base of more than 4,000 customers, but that number is treated as exposed customer scope, not confirmed victim count.
This record is scoped to the Feedify script distribution path. Individual ecommerce stores may have separate incidents, but the supply-chain event was the shared script: one compromised service, many dependent checkout pages.
Affected Artifacts
- Observed
- 2018-08-17 to 2018-11-09
- Compromised Versions
- Unknown
- Fixed
- Not listed
Incident Context
- Motive
- Financial Gain
- Attribution
- Group
- Cause
- Compromised Third Party Script
- Transitive
- Yes
- Actor
- Magecart
Indicators
- familyMagecart
- filepushconfig.js
- domainfeedify.net
- observableFeedify advertised more than 4,000 customers; this is exposed customer scope, not confirmed affected shopper count.
External References
- Feedify Compromised Push Notifications Used to Load Card Skimmerweb.archive.org
- Magecart Compromises Feedifyweb.archive.org
- MageCart Attackers Compromise Cloud Service Firm Feedifysecurityweek.com
Source record: proprietary/feedify/meta.yaml