SANSEC researchers have uncovered a new payment skimmer that uses WebRTC data channels instead of normal web requests to load malicious code and exfiltrate stolen payment data, a technique that helps it evade standard security controls. What sets this attack apart is the skimmer itself, which uses WebRTC DataChannels to load its payload and exfiltrate data, making it harder to detect than traditional skimmers, according to Sansec.
The skimmer forges the connection setup locally, connects directly to the attacker’s IP over an encrypted DataChannel, and downloads malicious JavaScript in chunks to be executed when the connection closes or after a short delay, evading defenses by stealing a valid CSP nonce from existing scripts. The researchers note that WebRTC traffic is DTLS-encrypted UDP, so network tools inspecting HTTP traffic will not see the stolen data leaving, according to Sansec.
The attack targeted a car maker’s e‑commerce site by exploiting the PolyShell vulnerability in Magento and Adobe Commerce, and since 19 March 2026, scanning from over 50 IPs with attacks affecting more than half of vulnerable stores.