Cyber Incident Victim: Alpaca Forms
Date:
May 2019
Location:
Panama
Summary
Hackers compromised servers of multiple companies, including Alpaca Forms, to inject malicious scripts across thousands of websites, harvesting data from all form fields—such as payment details, login credentials, and contact information—and exfiltrating it to a Panama-based server. The attack exploited third-party service providers in a supply-chain approach, leveraging their widespread code distribution to maximize impact. While Cloud CMS intervened to disable the compromised script delivery network, some affected providers like Picreel and OmniKick experienced non-functional malicious code due to implementation errors, limiting data theft in those cases. The incident highlighted a broader trend of attackers targeting secondary vendors to bypass direct breaches of high-profile sites.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident involving Alpaca Forms emerged on May 12, 2019, when security researcher Willem de Groot of Sanguine Security identified malicious scripts operating on the servers of Alpaca Forms and Picreel. These scripts were subsequently confirmed by RiskIQ researchers to also impact five additional companies: AppLixir, RYVIU, OmniKick, eGain, and AdMaxim. Attackers compromised the servers of these seven service providers to inject malicious code into their web scripts, which were then delivered to approximately 4,600 customer websites. The malicious code functioned by logging all data entered into form fields—including payment details, passwords, and contact information—and exfiltrating this information to a server located in Panama. This broad targeting mechanism affected any form field across compromised sites, regardless of whether it was part of a checkout page, login section, or contact form. At the time of initial reporting, the attack remained active, with malicious scripts still operational on numerous websites.
Cloud CMS, which provided free CDN hosting for Alpaca Forms’ compromised script, intervened by taking down the entire CDN serving the tainted script. The company stated there was no evidence of a breach within its own infrastructure, emphasizing that the issue stemmed from customers independently using the compromised Alpaca Forms script. Picreel and OmniKick avoided severe consequences due to coding errors in the malicious scripts, which prevented execution. Similarly, eGain’s breach was limited to a script affecting only its own website, sparing customer sites. The attack exemplified a supply-chain compromise, where threat actors targeted third-party providers of secondary code to indirectly infiltrate thousands of websites. This approach contrasted with earlier, more specialized campaigns that focused solely on payment forms or cryptojacking. The incident underscored the growing prevalence of such attacks, which exploit trust in third-party vendors to maximize reach and data theft efficiency. No specific attribution or motive was disclosed, though the indiscriminate data collection suggested financial gain as a primary objective.