Cyber Incident Victim: NutriBullet

The NutriBullet website experienced multiple Magecart skimming attacks between February 20 and March 17, 2020. RiskIQ researchers identified the first skimmer on February 20, attributing it to Magecart Group 8, a collective specializing in JavaScript-based payment card theft. Attackers injected malicious code into a jQuery JavaScript library used across all NutriBullet pages, appending it at the library's bottom to capture customer payment details during online transactions. This stolen data was exfiltrated to a command-and-control (C2) server controlled by the attackers. The initial skimmer was removed by March 1, but a second variant appeared on March 6, targeting a separate jQuery submodule resource. A third skimmer emerged on March 10, injected at the top of another site script named main-build-8a9adc31.js. RiskIQ collaborated with AbuseCH and ShadowServer to disrupt the C2 infrastructure after each iteration, though attackers persistently deployed replacement servers.

The skimming code matched samples previously linked to Magecart Group 8’s 2019 compromises of Amerisleep and MyPillow, affecting over 200 domains historically. NutriBullet’s IT team fully removed the malicious code by March 17 after external disclosure, initiating forensic investigations and updating security protocols. The company implemented Multi-Factor Authentication (MFA) for credential access and reinforced security policies. No customer data breach scope was quantified publicly, but the repeated skimmer deployments exposed payment card information submitted during the attack window. RiskIQ emphasized that takedowns of external malicious domains alone were insufficient to prevent recurrence due to unresolved website vulnerabilities enabling payload redeployment.