From bleepingcomputer.com
Attackers are abusing Google’s Apps Script business application development platform to steal credit card information submitted by customers of e-commerce websites while shopping online.
They are using the script.google.com domain to successfully hide their malicious activity from malware scan engines and bypass Content Security Policy (CSP) controls.
They take advantage of the fact that online stores would consider Google’s Apps Script domain as trusted and potentially whitelisting all Google subdomains in their sites’ CSP configuration (a security standard for blocking untrusted code execution in web apps).