Hackers collect payment information, user passwords from 4,600 websites

Hackers collect payment information

The same group of hackers compromises the use of malicious codes by Alpaca and Picreel in thousands of sites.

The hackers have broken the Picreel and open-source Alpaca Forms services analytical service and changed JavaScript files to include the malicious code on over 4,600 websites, security investigators told Cybersguards officials.

The attack is ongoing and at the time of this article malicious scripts are still live.

Both hacks were identified earlier today and confirmed by Sanguine Security founder Willem de Groot.

Picreel is an analytical service that enables website owners to record their uses and how they interact with a website to analyze behavioral patterns and increase conversation rates. Picreel customers-website owners-should insert a JavaScript code on their sites to enable Picreel to do its job. This script has been compromised by hackers by adding malicious code.

Alpaca Forms is a web-building project open-source. It was initially developed eight years ago by the company CMS provider Cloud CMS and open source. Cloud CMS still provides the project with a free CDN service (Content Delivery Network). Hackers seem to have broken this Cloud CMS-managed CDN and changed one of its Alpaca Form scripts.

Cybersguards reached out for comments from both companies. In an email, Cloud CMS CTO Michael Uzquiano informed Cybersguads that hackers only had one Alpaca Forms JavaScript file compromised on their CDN and that nothing else.


It is currently unknown how hackers have violated Picreel or Cloud CMS’s Alpaca Forms CDN. De Groot said that Cybersguards had been hacked in a Twitter conversation by the same threatening actor.

The malicious code logs all users of content into form boxes and sends them to a server in Panama. This includes information that users enter, contact forms and Log-in sections at checkout/payment pages.

Malicious code in the Picreel script was displayed on 1,249 websites, and the Alpaca Forms one in 3,435 domains.

Cloud CMS intervened and removed the CDN which served the Alpaca Form script. The company now investigates the incident and clarifies, “There have been no security or security problems with Cloud CMS, its clients or its products.” There is currently no evidence to suggest this unless Cloud CMS clients themselves use the Alpaca Forms script for their sites.


Attacks like these have become quite common in the last two years. Known as the supply chain attacks, hacker groups have realized that it is not as easy to break high profile websites, and have begun to target smaller companies providing’ secondary code’ to these sites and thousands of others.

They targeted chat providers, live support widgets, analytics firms and more.

The motivations vary according to the group. For example, certain groups hacked third parties for cryptojacking scripts while others used the same technique to use specialized code that only stolen data entered in payment forms.

The current attack is different because it’s generic and targets every form field on a website for any purpose.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.