Web Skimming in 2026: A Defender's Complete Guide
Magecart, formjacking, and service-worker skimmers are one threat family. Here's what web skimming looks like today and what monitoring actually stops it.
Web skimming is the umbrella term for stealing card data and credentials directly from the visitor's browser via injected client-side code. Magecart is the best-known sub-group, formjacking is the broader technique, and skimmers are the scripts themselves. All share one model: a compromised dependency, a silent listener, exfiltration to an attacker-controlled domain.
What changed in 2024–2026: skimmers rarely sit in obvious inline <script> tags anymore. The dominant variants we observe hide inside service workers (which survive page reloads), inside WebAssembly blobs, lazy-imported chunks, and PNG/SVG steganography. Many activate conditionally — only for real sessions that pass an anti-analysis check for headless browsers.
That conditionality is why passive scanners fail. A scanner that reads static HTML or matches signatures once a day won't see a payload that only appears with genuine interaction. You need real-browser execution monitoring that looks enough like a real visitor to trigger the skimmer — and records everything when it fires.
ExploitShield's approach: a fully instrumented Chromium with service-worker hooks runs a synthetic checkout every 5 minutes, records every executed JS body, deobfuscates common packers, and compares every outbound POST destination against 500+ blocklists and skimmer-endpoint heuristics. The skimmer fires exactly once per realistic-looking session — and we see it because we look like a real session.
Defender's checklist: maintain a third-party script inventory for all payment paths; enforce Content-Security-Policy with a connection allow-list; monitor outbound destinations under real execution; and treat every newly registered domain reached from a checkout page as an incident until proven otherwise.