Magecart: How Akamai Protected a Global Retailer Against a Live Attack

In early 2025, Akamai observed an active Magecart attack affecting a major global retail customer. This attack was part of a larger campaign that had been active for weeks, targeting Magento websites across multiple regions and industries. The attackers exploited a well-known CVE (security flaw) in Magento, allowing them to gain unauthorized access to the website infrastructure. Once inside, they injected a malicious JavaScript code into a first-party asset on the targeted websites.

This malicious script acted as a loader, meaning it was responsible for fetching and executing the next stage of the attack. When users visited the infected checkout pages, the loader would retrieve additional attack components from an attacker-controlled third-party domain. This approach allowed the attackers to bypass static security checks and keep the attack flexible since they could update the malicious payload remotely.

To further evade detection, the attackers used multiple domains following a similar naming pattern, with each domain assigned to different sets of compromised websites. This tactic complicated domain-based threat intelligence and blocking efforts, as security teams could not rely on a single known malicious domain to stop the attack. 

By frequently rotating domains and distributing them across various victims, the attackers minimized the risk of detection and takedown, allowing their campaign to persist for an extended period.

Akamai Client-Side Protection & Compliance detected suspicious activity affecting the global retailer. The solution triggered two high-risk alerts, indicating signs of an active Magecart attack.

The first alert indicated that the retailer’s website was initiating a connection to a known malicious domain. At Akamai, our cross-product intelligence continuously gathers and shares information on risky and malicious domain names. This intelligence is directly integrated into Client-Side Protection & Compliance’s domain-scoring engine, which assigns a risk score to each domain. 

In this case, the solution flagged a first-party JavaScript loader making a network request to a malicious domain that Akamai’s intelligence network had previously identified. The system immediately notified the customer, alerting them to the unauthorized external connection.

Right after the first alert, a second alert was triggered. This time, Client-Side Protection & Compliance detected suspicious behavior within the checkout page. The malicious script was actively reading sensitive customer information and attempting to exfiltrate it to an unauthorized third-party destination. 

This confirmed that the attack was not just an injection of malicious code, but an active attempt to steal sensitive data, such as payment information, from site visitors in real time.

In addition to our detection and alerting process, Client-Side Protection & Compliance also provides real-time mitigation for Magecart attacks. Our solution allows customers to take immediate, real-time action to block outbound traffic to the malicious domain receiving stolen data or to prevent the JavaScript resource from accessing sensitive information across protected pages. 

This real-time response capability is a critical advantage for our customers. It allows them to stop threats immediately, rather than starting an investigation and incident response process, which can take time to complete. 

With Akamai Client-Side Protection & Compliance, businesses can stop the attack in real time, then focus on removing the compromised JavaScript and securing back-end access in a controlled manner — without being under immediate pressure from an active breach.

Akamai Client-Side Protection & Compliance operates directly within the user's browser, running in real time during actual user sessions. This approach makes it harder for attackers to evade detection, unlike many traditional tools that rely on external scans or synthetic tests.

Magecart attackers often design their scripts to self-terminate when they detect bots, a controlled environment, or security scans. Client-Side Protection & Compliance bypasses these tricks by analyzing real-user interactions, providing full visibility into every JavaScript execution — tracking its origin, purpose, and behavior. This ensures any unauthorized script attempting to steal data is caught and stopped instantly.

By running directly within real-user sessions, Client-Side Protection & Compliance effectively renders these evasion techniques futile and ensures accurate and comprehensive detection of malicious behavior.

Additionally, the Akamai product provides full visibility into every JavaScript execution on the page, tracking its origin, purpose, and behavior. This deep insight allows for real-time threat detection and ensures that any unauthorized script attempting to steal sensitive data is identified and stopped before it can cause harm.

The new PCI DSS v4.0.1 JavaScript security requirements (6.4.3 and 11.6.1) emphasize stronger protections against Magecart attacks, focusing on script management and real-time monitoring. Akamai Client-Side Protection & Compliance helps businesses meet these requirements effortlessly.

Client-Side Protection & Compliance inherently provides script authorization and integrity by continuously inspecting every script execution on the page. Unlike traditional security tools that only review static script files, Client-Side Protection & Compliance monitors scripts in real time, detecting unauthorized behavior and alerting users to potential threats or policy violations. This ensures compliance with Requirement 6.4.3, which mandates script validation and integrity verification.

Additionally, Client-Side Protection & Compliance automatically maintains a full script inventory, listing all first-party and third-party scripts running on the website, including payment pages. This inventory includes built-in justifications for third-party vendor resources, helping businesses stay compliant with the requirement to document and justify all scripts used in the payment process. It removes the need for manual tracking and approval workflows, making compliance effortless.

For Requirement 11.6.1, which focuses on detecting unauthorized changes, Client-Side Protection & Compliance offers continuous monitoring of both scripts and HTTP security headers, ensuring that any suspicious changes are immediately flagged for review.

With Akamai Client-Side Protection & Compliance, compliance with PCI DSS v4.0.1 becomes a proactive, automated process, eliminating the complexity of manual script management while providing real-time protection against Magecart and other client-side threats.

Magecart attacks continue to evolve, becoming more sophisticated and harder to detect. This attack case study highlights how client-side security is critical for protecting ecommerce websites from silent, data-stealing attacks that often go unnoticed.

Akamai Client-Side Protection & Compliance provides real-time detection of JavaScript threats, ensuring malicious scripts and unauthorized data exfiltration attempts are identified and mitigated immediately. By continuously monitoring all script execution behavior and tracking sensitive data flows, Akamai’s solution gives businesses the ability to respond instantly to threats, preventing financial and reputational damage.

Additionally, Client-Side Protection & Compliance helps organizations seamlessly comply with PCI DSS v4.0.1 requirements by automating script validation, integrity monitoring, and unauthorized change detection — all with minimal manual effort.