In recent months, there have been numerous reports about new website attack campaigns that use injected malicious JavaScript.
The Hacker News reported on a large-scale formjacking campaign where stealthy JavaScript was injected to mine cryptocurrency on end-user machines, affecting more than 3,500 websites.
GBHackers highlighted a new Magecart-style campaign targeting online checkout forms. In that case, attackers used heavily obfuscated JavaScript to hook into payment input fields, capture sensitive data, and exfiltrate it to attacker-controlled servers. Security researchers confirmed dozens of e-commerce sites contained the malicious script tag, signaling a widespread and coordinated deployment.
In both scenarios, the victim websites were compromised through supply-chain attacks. Instead of directly breaching each individual site, attackers infiltrated one or more upstream dependencies (such as third-party scripts, plugins, or content delivery networks) which then delivered malicious code to all downstream websites. This approach is attractive to attackers because a single compromise can scale to thousands of targets in one move.
Why Magecart Is Still Relevant
Although Magecart was first identified years ago, it remains a major threat today. The techniques have evolved, but the objective is the same: silently stealing customer payment data during the checkout process. What makes Magecart particularly persistent is that it exploits the way modern websites are built, relying heavily on third-party code for payments, analytics, advertisements, and user experience enhancements.
For attackers, Magecart is effective because it:
Targets high-value data: credit card numbers, billing addresses, and authentication details.
Uses stealth: malicious scripts are often obfuscated and disguised as legitimate resources.
Scales well: compromising a single payment provider or dependency can impact thousands of businesses.
For businesses, the impact is more than financial loss. Magecart attacks can lead to regulatory consequences (e.g., PCI DSS non-compliance), reputational damage, and loss of customer trust. Even one incident can result in long-lasting harm to brand reputation.
Defense Strategies Against JavaScript Supply-Chain Attacks
Protecting against these types of attacks requires a multi-layered defense strategy. No single control will stop every variant, but combining the right practices significantly reduces risk.
Monitor Script Changes - Regularly scan and monitor
<script>tags on your websites. Sudden additions of unknown scripts, changes in source domains, or obfuscated code can be early signs of compromise. Automated monitoring tools can alert teams in real-time.Enforce Content Security Policy (CSP) - A properly configured CSP helps limit where scripts can be loaded from, reducing the likelihood of malicious code executing. For example, restricting scripts to trusted domains makes it harder for injected code from unrecognized sources to run.
Use Subresource Integrity (SRI) - Adding SRI hashes to third-party scripts ensures that the resource loaded by the browser matches the expected cryptographic hash. If an attacker tampers with the script upstream, the browser will block it.
Adopt Runtime Application Self-Protection (RASP) - RASP solutions provide runtime monitoring and blocking of suspicious activity. They can prevent unauthorized DOM modifications, detect unexpected network requests, and stop sensitive data from being exfiltrated. For organizations looking to strengthen this layer, solutions like Digital.ai’s Application Security for Web can add visibility and protection directly in the browser environment without requiring major architectural changes.
Audit and Minimize Dependencies - The fewer third-party scripts your site relies on, the smaller the attack surface. Regularly review dependencies, remove unused libraries, and vet new ones carefully.
Incident Response Preparedness - Even with the best defenses, compromises may still occur. Having an incident response plan, including rapid removal of malicious scripts, notification processes, and forensic investigation, helps minimize damage.
Websites Are Not the Only Target
The reach of Magecart-style attacks extends beyond traditional websites. In a 2018 breach of the British Airways website, attackers injected malicious JavaScript that targeted a payment page. However, because the airline’s mobile app shared portions of the same compromised codebase, the impact went even deeper. As a result, both web and mobile app customers were exposed. This underscores the need for organizations to protect every digital channel, through strong website defenses and comprehensive mobile app hardening.
So What Now?
Malicious JavaScript injections, whether for cryptocurrency mining or Magecart-style skimming, are not going away.
The underlying issue is structural: the web supply chain is vast, interdependent, and often opaque. For businesses, this means acknowledging the shared responsibility model: security is not just about securing internal systems, but also about monitoring and controlling the external code you rely on.
By combining proactive monitoring, strong browser-enforced policies, dependency management, and runtime protection, organizations can significantly reduce their exposure. As attackers continue to innovate, staying ahead requires both technical vigilance and executive commitment to making web security a priority.