A tracking tag looks harmless. It counts a page view, fires a conversion pixel, loads an A/B test. Once it works, most teams stop thinking about it, and that quiet trust is exactly the gap an attacker can use.
A tag is code, and a Custom HTML tag runs inside your page with much the same access as the page’s own scripts. It can read the form a shopper is filling in. It can rewrite a link. Unless a Content Security Policy (CSP) blocks it, it can pull a second script from a server you have never heard of. When that reach sits inside a tool the whole industry trusts by default, you have an attack channel hiding in plain sight.
This is what malicious tag manager injection exploits. The tag manager works as a trusted courier for code. The abuse comes from who gets to hand it a package and whether anyone checks what is inside. To see where the danger lives, follow a tag through its life: who can place it, how it loads, what it does once it fires, and where the chain of trust quietly snaps.
Contents
Who Can Put a Tag on Your Page
Start with the legitimate path, because that is the path attackers borrow.
A marketer needs a new pixel live on the site. They open a tag manager, usually Google Tag Manager (GTM), the container most sites run. They paste a snippet, set a trigger, and publish. The container updates, and the new tag ships to every visitor. No engineering ticket, no code review, no deploy. That speed is the whole point of a tag manager, and it is why marketing teams love it.
Now think about how many people hold access to that container. The marketer has it. So does the agency that set up the account. So does the analytics contractor from two years ago whose login was never removed. So does anyone who phished or reused a password that later leaked.
Access comes in levels, and only an account with publish rights can push a tag live, but that is the point: the list of people who can edit or publish is long, rarely audited, and most companies cannot say with confidence who is on it.
A tag manager turns publishing into a permission, not a deployment. Whoever holds the permission speaks to your visitors directly. The chain of custody for code on your site is only as tight as the access list on that container, and access lists rot.
How a Tag Loads and What Gives It Power
When a visitor opens your page, the browser sees the container snippet and fetches it from googletagmanager.com.
That domain is one of the most trusted on the web. It sits on allowlists inside firewalls, ad verification tools, and content filters. Security products see it and wave it through, because blocking Google’s tag infrastructure would break half the internet.
The container loads and runs. It reads its configuration and fires whatever tags it was told to load. A tag that injects JavaScript, like a Custom HTML tag, becomes live code inside your page.
And here is the part teams forget: that code runs in the same context as everything else on the page. It can reach into the Document Object Model (DOM), the live structure of the page in the browser. It can read input fields, watch clicks, and add new elements. The browser does not wall a third-party script off from the credit card form. They share the same room.
So a tag inherits two things at once. It inherits the trust of the domain it came from, and it inherits the full reach of the page it lands on. Provenance buys it past your defenses, and the DOM hands it the goods.
Nothing about that is malicious on its own. It is exactly how legitimate analytics work. It is also exactly what an attacker needs.
Tag Lifecycle
How a tag travels from a marketer’s click to live code on your page
1 · Source
Marketer or agency publishes a tag
2 · Container
GTM container updates
3 · Delivery
Served from googletagmanager.com
4 · Browser
Visitor loads the page
5 · Live Tag
Runs as code inside the DOM
A tag inherits two things at once: the trust of the domain it came from, and the power to read forms, watch clicks, and rewrite links on the page.
What a Tag Does After It Fires
Once a malicious tag is live, the playbook is short and well-practiced.
- Getting payment data
The most common goal is payment data.
Security researchers have documented long-running campaigns where attackers load what looks like an ordinary GTM and Google Analytics script, but the container holds an encoded JavaScript payload.
That payload is a skimmer. It waits on the checkout page, reads the card number and details as the shopper types, and sends them to a server the attacker controls. Sucuri tracked one such skimmer to ATMZOW, a Magecart actor whose code has surfaced since 2015, and Akamai documented a separate campaign built to look like a normal Google Tag Manager load.
Recorded Future’s Insikt Group, studying the wider pattern, confirmed hundreds of GTM containers carrying skimmers and traced more than 165,000 stolen card records to the technique.
- Redirecting to scam pages
A second goal is redirection. The tag injects a script that pushes the visitor to a page they never meant to visit: a fake offer, a scam, a malware prompt. The traffic looks like it came from your site, because it did.
- Covering the tracks
The third move is the one that makes the other two dangerous, and it appears in a campaign Adex documented. The malicious code covers its tracks. On the compromised sites in that case, the injected code did more than redirect users. It reached into the analytics layer and wiped the evidence, clearing Google Tag Manager and Yandex Metrica data so the redirect left no trail in the dashboards the marketing team actually watches.
The team checks their numbers, sees nothing unusual, and the attack runs for weeks. A tag that can read the page can also blind the people guarding it.
Where the Chain of Custody Breaks
1. Account access. A tag manager container is governed by logins, and logins leak, get phished, or outlive the people they belonged to. Attackers who reach the account do not break anything. They publish, exactly as a real marketer would.
2. Edit rights inside the container. Even with a secure account, many tags are configured by outside agencies and contractors. Every editor is a place where a malicious tag can enter through a legitimate door.
3. Third-party tags. A tag often loads another script from another vendor’s server. You vetted the vendor, not every future version of their code. The Polyfill.io incident in 2024 showed how this plays out: a widely used script library changed hands, the new owner pushed malicious code, and more than 100,000 sites served it without changing a line of their own. A trusted source had gone rogue, and trust based on the source name carried the payload straight through.
4. The trusted-domain blind spot. Because googletagmanager.com is allowlisted nearly everywhere, the usual perimeter tools do not inspect what rides on it. Google does run automated malware scanning on containers and has since 2016, but attackers obfuscate payloads and rotate domains to stay ahead of it. The allowlist that keeps tags working is the same allowlist that keeps a malicious tag from being questioned.
5. Dynamic injection, the most overlooked of all. Many defenses assume scripts are declared in your page’s HTML, where you can pin them. A tag manager injects scripts dynamically, at runtime, from inside JavaScript. That timing slips past protections built for static markup, which is the point of the next section.
Chain of Custody
Five places the chain breaks
Account access
Logins leak, get phished, or outlive the people they belonged to.
Container edit rights
Every outside agency or contractor with edit access is a door.
Third-party tags
You vetted the vendor, not every future version of their code.
Trusted-domain blind spot
Allowlisted domains ride past perimeter tools uninspected.
Dynamic runtime injection
Scripts added at runtime slip past defenses built for static markup.
Trust is only as tight as the weakest link.
Closing the Gaps: Governance Over the Tag Lifecycle
There is no single switch for this. The fix is governance across the whole life of a tag, layered so that no one control has to be perfect.
- Start with access, because it is the cheapest win and the one most often ignored.
- Treat the tag manager container like production infrastructure, because it is.
- Keep a current list of who can publish, remove old agencies and contractors the day a contract ends, require strong authentication on every account, and turn on the container’s own change history so every publish has a name attached. Most injection through a tag manager starts with access that should not have existed.
Then layer the browser-side controls, and know what each one can and cannot do.
A Content Security Policy (CSP) tells the browser which sources are allowed to run scripts. Set well, it stops a tag from pulling code off an unapproved domain.
Its weakness is the trusted-domain problem again: if your policy allows googletagmanager.com, and the abuse rides on a container served from there, CSP sees an approved source and lets it run.
Subresource Integrity (SRI) pins a script to a cryptographic hash so the browser rejects it if a single byte changed. It is strong against a trusted file being swapped out, the Polyfill.io scenario. But SRI has a precise limit that matters here: it only covers scripts you can hash in advance, and it only protects a dynamically injected script if the integrity and crossOrigin attributes are set before the script is added to the page. Most tags are injected at runtime without those attributes, so SRI never engages. It guards the front door while the tag comes through the side.
Trusted Types narrows what code is allowed to write dangerous content into the DOM, which shrinks the room an injected payload has to operate. DOM-mutation monitoring watches the live page for unexpected changes, such as a new script node or a form field that started reporting to a strange address, and flags them in real time. These are the controls that look at behavior rather than origin, and behavior is where injection finally shows itself.
That last point is the heart of the defense.
A tracking tag is trusted by provenance, by the name of the domain it came from, not by what it does once it runs.
Every perimeter control keyed to provenance can be walked past by code wearing a trusted name. The only controls that catch a tag wiping analytics data or skimming a form are the ones watching behavior. This is the layer Adex works on. By analyzing how traffic and scripts behave after the page loads, rather than trusting a source because it is on a list, buy-side detection can surface a tag that has started acting like an attacker even when it arrived through a trusted door. It does not replace CSP or access governance. It catches what those layers, by design, let through.
For deeper architecture on the broader category, see the Adex breakdown of ad injection attacks, and the field report on malicious redirects detected in live campaigns where this trace-wiping behavior was first documented.
Defense in Depth
Provenance trusts the name. Behavior watches the action.
Provenance-based
- Content Security Policy (CSP)
- Subresource Integrity (SRI)
- Domain allowlists
A trusted name walks straight through.
Behavior-based
- Trusted Types
- DOM-mutation monitoring
- Post-load / buy-side detection
Catches a tag once it starts misbehaving.
A tag is trusted by provenance, not by behavior. The controls that catch a tag skimming a form or wiping analytics data are the ones watching what it does.
Frequently Asked Questions
Is Google Tag Manager unsafe to use?
No. GTM is a standard tool used safely by millions of sites, and Google scans containers for known malware. The risk lies in loose access to the container and in the industry’s habit of trusting anything served from its domain without watching what that code does.
How would I even know a malicious tag is running?
Often, you would not, which is the problem. The clearest signs are behavioral: a script reading checkout fields, traffic redirecting off-site, or gaps in your analytics where data was cleared. Perimeter tools tend to miss these because the tag arrives from a trusted source. Behavioral and post-load monitoring is what surfaces them.
Will a Content Security Policy stop this on its own?
It helps, but not on its own. CSP blocks scripts from unapproved sources. If your policy approves the tag manager’s domain, and the abuse rides inside a container from that domain, CSP treats it as allowed. Pair it with integrity checks where they apply, access governance, and behavioral monitoring.
Most of these examples are checkout pages. We run ad campaigns. Does this affect us?
Yes. Skimming shows up at checkout, but redirection and trace-wiping hit campaigns and landing pages just as easily. If a tag on your landing page reroutes paid traffic or scrubs your conversion data, you pay for clicks that never reach you and cannot see it in your reports.