Proprietary 2019-05-10 · 2 days ·Payment Card Theft, Data Theft

Picreel scripts carried Magecart skimmer

Magecart actors compromised Picreel and Alpaca Forms JavaScript in May 2019. Customer sites loaded the trusted scripts and leaked payment data to attacker infrastructure.

Story

This was a third-party JavaScript supply-chain attack. Picreel supplied marketing and analytics code that customers embedded into their sites; Alpaca Forms supplied form-building JavaScript through a CDN path associated with Cloud CMS.

Around May 10-12, 2019, attackers modified both suppliers' scripts within a short window. Willem de Groot publicly warned that more than 1,200 Picreel customer sites and roughly 3,400 Alpaca/Cloud CMS sites were exposed.

RiskIQ and later coverage treated the two compromises as linked Magecart activity. The skimmer was injected into supplier-hosted JavaScript, then downloaded by customer sites that trusted those suppliers. One supplier compromise became many storefront compromises.

Picreel said no company or client data was compromised, but the browser risk sat downstream: card details entered on customer sites could be skimmed in the visitor's session. This record treats the 4,600-site figure as exposed site scope, not confirmed stolen-card count.

Affected Artifacts

Alpaca Forms 1.5.23

hosted javascript · alpacajs.org · Source Archive
Observed
2019-05-10 to 2019-05-12
Compromised Versions
Unknown
Fixed
Not listed
Evidence
distribution: alpacajs.org, malware: Magecart, domain: font-assets.com, observable: Alpaca Forms CDN script was modified with the same skimmer family during the same attack window.
  • Reporting attributed roughly 3,400 exposed sites to the Alpaca Forms/Cloud CMS side of the incident; Cloud CMS said Alpaca Forms, not Cloud CMS itself, was compromised.

Incident Context

Motive
Financial Gain
Attribution
Group
Cause
Compromised Third Party Script
Transitive
Yes
Actor
Magecart actor

External References

Source record: proprietary/picreel/meta.yaml