Hackers Deploy Pixel-Sized SVG Trick to Hide Credit Card Stealer in 100+ Magento Stores

In a stealthy and highly sophisticated cyberattack, threat actors have compromised nearly 100 Magento-based online stores by hiding a credit card-stealing skimmer inside a 1×1-pixel SVG image—an attack so subtle it could easily bypass traditional security scans.

The discovery was made by Sansec, a leading eCommerce security firm, which warns that this latest Magecart-style attack leverages a clever encoding technique to mask malicious JavaScript inside an otherwise harmless-looking SVG element.

How the Attack Works

The attackers inject a single-pixel SVG image with an onload handler directly into the website’s HTML. That handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout. This method cleverly avoids creating external script references—a common red flag for security tools—allowing the malware to live entirely inline as a single string attribute.

When an unsuspecting shopper clicks the checkout button, the malicious script intercepts the action and displays a convincing fake “Secure Checkout” overlay. This overlay includes fields for credit card details and billing information. The stolen payment data is then validated in real time using the Luhn algorithm (a standard checksum formula for card numbers) before being exfiltrated to the attackers.

The exfiltration itself is obfuscated using XOR encryption and base64 encoding, making it harder for network monitoring tools to detect the stolen data in transit. The data is sent as a JSON payload to attacker-controlled domains.

The Root Cause: PolyShell Vulnerability

Sansec believes the attackers likely gained initial access by exploiting the PolyShell vulnerability, a critical flaw disclosed in mid-March 2025. PolyShell affects all stable versions of Magento Open Source and Adobe Commerce, enabling unauthenticated remote code execution and full account takeover.

Alarmingly, more than half of all vulnerable Magento stores were targeted in PolyShell-related attacks, some of which deployed payment card skimmers using WebRTC for stealthy data exfiltration.

Despite the widespread exploitation, Adobe has yet to release a security patch for production versions of Magento. The only available fix is in the pre-release version 2.4.9-alpha3+, leaving thousands of stores exposed.

Indicators of Compromise

Sansec identified six exfiltration domains, all hosted by IncogNet LLC (AS40663) in the Netherlands. Each domain was receiving data from 10 to 15 confirmed victims at the time of discovery.

To determine if your store has been affected, Sansec recommends:

• Scan for hidden SVG tags with onload attributes containing atob() and remove them.
• Check browser localStorage for the _mgx_cv key, which may indicate stolen payment data.
• Monitor for requests to /fb_metrics.php or unfamiliar analytics-like domains.
• Block traffic to IP address 23.137.249.67 and associated domains.

What Store Owners Should Do Now

With no official patch available, Magento store owners must act quickly:

1. Apply all available mitigations immediately.
2. If possible, upgrade to the latest beta release (2.4.9-alpha3+).
3. Implement real-time monitoring for unusual JavaScript behavior.
4. Conduct a full security audit of your site’s frontend code.

Adobe has not responded to repeated requests for comment on the ongoing exploitation of PolyShell.

Tags: Magento, SVG, credit card skimmer, Magecart, PolyShell, cyberattack, e-commerce security, data exfiltration, JavaScript malware, web skimming, Luhn algorithm, XOR encryption, base64 obfuscation, IncogNet LLC, Adobe Commerce, online store security

Viral Sentences:

• “Hackers hide credit card stealer in a 1×1-pixel SVG—invisible to the naked eye!”
• “Your checkout button could be a trap—fake overlays steal your payment data in real time.”
• “PolyShell flaw leaves 100+ Magento stores wide open to unauthenticated attacks.”
• “Base64, XOR, and setTimeout—this skimmer is a masterclass in evasion.”
• “No patch yet? Adobe leaves thousands of stores exposed to Magecart gangs.”
• “Browser localStorage key _mgx_cv could mean your credit card was just stolen.”
• “SVG + JavaScript = the new face of stealthy web skimming.”
• “Real-time Luhn validation? These attackers mean business.”
• “Block 23.137.249.67 now—before your data becomes the next victim.”
• “WebRTC + skimmers = the future of undetectable credit card theft.”

,