Magecart Scanner for Magento
Analyzes the page's scripts, Google Tag Manager and network destinations looking for credit-card skimmer patterns (Magecart) that steal data at checkout.
Stop checking by hand — monitor 24/7
This tool is a snapshot of right now. Especialista Loja Virtual runs real browser checks on your store every few minutes and alerts you on Discord, Slack or email with a screenshot of the problem. Start free.
How the Magecart Scanner
We fetch the given page and download the scripts it loads. On top of that content we run a static analysis that looks for card-skimmer (Magecart) patterns: known-malicious Google Tag Manager containers, exfiltration domains, Stripe secret keys exposed in the browser, code that reads card fields at checkout, and the obfuscation typical of skimmer payloads.
Each finding comes with a severity (critical, high, medium), the exact evidence found, and what to do to fix it. Important: this analysis is static — it does not execute the page. Skimmers delivered via Google Tag Manager are only assembled when the page runs in the browser, so for full, continuous detection use the Magecart monitoring test in the dashboard, which opens the store in a real browser and observes runtime behavior.
Frequently asked questions
What is Magecart?
Magecart is the name given to groups that inject malicious scripts (skimmers) into online stores to steal card data typed at checkout. In Magento/Adobe Commerce the code is usually planted in core_config_data, CMS blocks, theme templates or — increasingly — via a malicious tag in the store's Google Tag Manager.
How is Google Tag Manager used in the attack?
The attacker breaks into the store's GTM account and creates a custom tag that, at checkout, captures the card fields and sends them to their server. Because the code is served by the trusted googletagmanager.com domain, it goes unnoticed. That's why enabling 2FA on the GTM account and reviewing who has publish access is essential.
Does this scanner guarantee my store is clean?
No. A 'no indicators' result means no known pattern was found in the static analysis of that page — but GTM skimmers only appear at runtime and injection can happen at any time. E-commerce security requires continuous monitoring, not a one-off check.
It found an indicator. What do I do now?
Treat the store as compromised: audit and remove suspicious tags in Google Tag Manager, change the Google account and Magento admin passwords, review core_config_data and CMS blocks, rotate payment keys and look for backdoors (e.g. stray PHP files under media/). If theft is confirmed, notify your acquirer and affected customers.
Does it work on WooCommerce and other platforms?
Skimmer signatures and exfiltration indicators are detected on any store. The card-field selectors are tuned for Magento 2/Adobe Commerce, but most rules (malicious GTM, exfiltration domain, exposed secret key, obfuscation) are platform-independent.
Official references
Primary sources used in building this tool. Use them to go deeper or to validate the technical criteria.
Related tools
Vulnerability scanner
Checks known exposures of your Magento store: backups, .git, env.php, phpinfo, webshells, headers and outdated version.
Open
HTTP Headers
View all the HTTP headers your server sends — cache, security, compression, cookies.
Open
SEO on-page
Instant audit of title, description, canonical, headings, images without alt and more.
Open