Hackers Compromise Thousands of Websites Through Their Analytics Module

Last updated September 28, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

A group of hackers has managed to compromise about 4600 websites that use the Picreel analytics and the Alpaca HTLM5 forms generator. The malicious actors first breached those services, and then modified their JavaScript files to compromise the websites that use them. The discovery of the hacks was made by forensic analyst and security researcher Willem de Groot, while numerous other researchers have confirmed the findings and the fact that the malicious JavaScript code is still running and sending data to the group’s server in Panama.

As this is another incident of a supply-chain attack, the response of the companies who had their code breached is an important factor. Cloud CMS, which is the provider of the free CDN (content delivery network) that is used by Alpaca forms has reassured the public that the hackers have compromised only one JavaScript file on the CDN, and this has now been fixed. As for the Picreel, there has been no official response by them, and their analytics script is probably still infected with the hackers’ code. After contacting the company asking for a response, we received no official acknowledgment of the breach.

In total, the Picreel script was found in about 1250 websites, while the Alpaca Forms code was spread over 3350 domains. This means that right now, there are millions of people who have their sensitive information recorded and sent to the shady Panama servers. According to the researchers, the malicious code focuses on the grabbing of whatever information a visitor of the infected websites enter on them, including the contact forms, login boxes, and the payment webpages. This means that the actors can steal login credentials and even credit card details that are used in payment checkout pages. Obviously, quite a few of these details have already been exfiltrated, but at this point, there’s no estimate of the total damage.

Due to a large number of the infected websites, we can’t give any lists, so if you have done any purchases using your credit card or entered sensitive information on any website, you should check for yourself in these two lists (1, 2) and figure out whether the website you have visited was using contaminated JavaScript code.

Did you find a match? Let us know which one it was in the comments down below, helping others stay safe and informing the community. Don’t forget that you have the power to help us spread the word of warning by sharing this post through our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: