Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls.
“Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data,” Sansec said in a report published this week.
The attack, which targeted a car maker’s e-commerce website, is said to have been facilitated by PolyShell, a new vulnerability impacting Magento Open Source and Adobe Commerce that allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution.
Notably, the vulnerability has since come under mass exploitation since March 19, 2026, with more than 50 IP addresses participating in the scanning activity. The Dutch security company said it has found PolyShell attacks on 56.7% of all vulnerable stores.
The skimmer is designed as a self-executing script that establishes a WebRTC peer connection to a hard-coded IP address (“202.181.177[.]177”) over UDP port 3479 and retrieves JavaScript code that’s subsequently injected into the web page for stealing payment information.
The use of WebRTC marks a significant evolution in skimmer attacks, as it bypasses Content Security Policy (CSP) directives.
“A store with a strict CSP that blocks all unauthorized HTTP connections is still wide open to WebRTC-based exfiltration,” Sansec noted. “The traffic itself is also harder to detect. WebRTC DataChannels run over DTLS-encrypted UDP, not HTTP. Network security tools that inspect HTTP traffic will never see the stolen data leave.”
Adobe released a fix for PolyShell in version 2.4.9-beta1 released on March 10, 2026. But the patch has yet to reach the production versions.
As mitigations, site owners are recommended to block access to the “pub/media/custom_options/” directory and scan the stores for web shells, backdoors, and other malware.
More Details About PolyShell Emerge
The development comes as Searchlight Cyber’s Assetnote team shared additional details of the PolyShell vulnerability, stating it’s rooted in a function named ImageProcessor::processImageContent(), which accepts any “valid” image as input and move the file to destination folder (i.e., “pub/media/custom_options/quote/<FIRST_CHAR>/<SECOND_CHAR>/<FILE_NAME>”).
As for what constitutes a valid image, the code checks that it’s not empty, has a size, has a valid MIME type, and does not have blocked characters in its file name. In other words, there is no validation to ensure that the file extension actually matches the MIME type.
This allows an attacker to upload a polyglot shell via an HTTP POST request to the “/rest/default/V1/guest-carts/{cart_id}/items” endpoint and invoke that file to achieve code execution. An important caveat here is that the uploaded file is only accessible if the web server is misconfigured; any attempt to access it will result in a 404 error message.
“If you’re using Adobe’s suggested Nginx/Apache configurations, then the files are inaccessible and not executable,” security researcher Tomais Williamson said. “However, any deviations from this configuration (or missing .htaccess files) may lead to instances being impacted.”
“For Nginx instances, Magento ships with an example configuration file that should block access to the folders and any uploaded PHP files. Deviations from this configuration that remove the deny all clauses locations affecting the pub/media/custom_options path can lead to XSS, and removing .php execution restrictions will lead to those files being executable.”
(The story was updated after publication to include insights from Searchlight Cyber about PolyShell.)
