PCI Oasis Security Blog

Educational Purpose Only. This article and Lab 3 are strictly for educational purposes. Code examples demonstrate attack techniques to help security professionals understand and defend against them. Never use these techniques on systems you do not own. The Problem with Trusting Your Browser E-skimming attacks usually require compromising a specific website — modifying its JavaScript, injecting a skimmer into its checkout flow. That targets one merchant at a time. Browser extension hijacking breaks that constraint. A compromised extension runs across every website the victim visits — not just one merchant, but every bank, every checkout, every password field, every session cookie. One compromised extension developer account can silently deliver malicious code to millions of users in a single auto-update. ...

Educational Purpose Only. This article and Lab 2 are strictly for educational purposes. Code examples demonstrate attack techniques to help security professionals understand and defend against them. Never use these techniques on systems you don’t own. Beyond the Submit Button Classic Magecart attacks (covered in Lab 1) wait for a user to hit “Submit” before stealing payment data. DOM-based skimming is more aggressive: it captures data keystroke by keystroke, in real time, before any form is submitted. ...

Educational Purpose Only. This article and Lab 4 are strictly for educational purposes. Code examples demonstrate attack techniques to help security professionals understand and defend against them. Never use these techniques on systems you do not own. When Security Tools Stop Looking Every serious JavaScript security control — Content Security Policy, Subresource Integrity, script-src allow-lists, WAF rules — is built around the same assumption: the payload is in a script. ...

Migrating from Cloud Build to GitHub Actions with Workload Identity Federation This post documents the migration of pcioasis-payments CI/CD from Cloud Build to GitHub Actions using Workload Identity Federation (WIF). It is a concrete implementation record — specific project IDs, script names, and the exact ordering decisions we made — not a general tutorial. If you want the conceptual background on WIF, read Part 1 first. This post assumes you understand what WIF does and focuses on how we applied it. ...

On June 1, 2026, app researcher Jane Manchun Wong woke up to find her Instagram account compromised overnight. So did the operators of @obamawhitehouse, @hey, @jowo (combined street value: over $1 million), an official Sephora account, and a U.S. Space Force Chief Master Sergeant’s profile. The attacker didn’t exploit a zero-day or breach Meta’s databases. They asked politely. In plain English. To an AI chatbot. The Attack Chain Meta’s AI-powered account support assistant had write access to Instagram’s email-binding and password-reset APIs — enough to do its job of helping users recover locked accounts. The attack required nothing exotic: ...

zkTLS: Cryptographic Proof That Web Data Is Real You can screenshot a bank statement. You can export a CSV from your payroll provider. You can copy text from any HTTPS page you have access to. What you cannot do — until recently — is prove to a third party that the data came from where you claim, without also handing them your credentials, running through a centralized KYC gateway, or asking the original server to cooperate. ...

Replacing Static GCP Credentials in CI/CD with Workload Identity Federation Part 1 of 2 — Concepts and Architecture If your GitHub Actions workflows authenticate to GCP using a stored secret — a service account key JSON, a FIREBASE_TOKEN, or any other long-lived credential — you have a static credential problem. It doesn’t matter what format the credential is in. The issue is that it exists at rest, in GitHub, and was generated by a person who may no longer work there. ...

Setting Up Workload Identity Federation: An Agent-Assisted Rollout Part 2 of 2 — Implementation Part 1 explained the concepts and the three decisions you need to make: where the WIF pool lives, whether to use branch or environment conditions, and who approves production deploys. This post walks through the actual rollout using an AI coding agent (Claude Code) to examine your existing infrastructure, propose a plan, and execute it step by step — with you reviewing and approving at every decision point. The agent handles the mechanical work. You make the security decisions. ...

Educational Purpose Only. This article and Lab 1 are strictly for educational purposes. Code examples demonstrate attack techniques to help security professionals understand and defend against them. Never use these techniques on systems you don’t own. What is Magecart? Magecart is not a single hacking group, but an umbrella term for multiple cybercriminal organizations that specialize in stealing payment card data from e-commerce websites. These attacks are also known as: ...