CYBERSECURITY researchers have unveiled a WebRTC-based skimmer that bypasses CSP to exfiltrate payment data, marking a notable evolution in web skimming. The malware deploys as a self-executing script that opens a WebRTC peer connection to a fixed IP address (202.181.177[.]177) over UDP port 3479 to fetch JavaScript code, which is then injected into the page to steal payment information, according to Sansec.
The attack is linked to PolyShell, a Magento Open Source and Adobe Commerce vulnerability that allows unauthenticated attackers to upload executables via the REST API and achieve code execution, and mass exploitation has been observed since 19 March 2026 with more than 50 IP addresses scanning. The use of WebRTC is described as bypassing CSP directives because WebRTC DataChannels run over DTLS-encrypted UDP rather than HTTP, making exfiltration harder to detect.
Adobe has released a fix in version 2.4.9-beta1 on 10 March 2026, but the patch has not yet reached production versions, and site owners are advised to block the pub/media/custom_options/ directory and scan for web shells and other malware.