Suruci Blog reports a likely active Magecart campaign targeting WordPress and WooCommerce websites with a malicious plugin. The malware is installed as a regular plugin in the WordPress Admin panel. Subsequently, it replicates itself in the mu-plugins directory where "must use" plugins are located, enabling a sophisticated evasion technique.
Additional evasion techniques include creating a hidden administrator with the pmv_create_hidden_admin function and subsequently reducing the administrator user count to hide the fraudulent admin user.
At checkout, the malware runs a JavaScript that exfiltrates payment information to an attacker-controlled domain, fbplx[.]com. This domain was created in September 2023, suggesting the threat is recent and likely still active.