{"id":45245,"date":"2026-04-09T07:38:49","date_gmt":"2026-04-08T23:38:49","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/09\/hackers-use-pixel-large-svg-trick-to-hide-credit-card-stealer\/"},"modified":"2026-04-09T07:38:49","modified_gmt":"2026-04-08T23:38:49","slug":"hackers-use-pixel-large-svg-trick-to-hide-credit-card-stealer","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/09\/hackers-use-pixel-large-svg-trick-to-hide-credit-card-stealer\/","title":{"rendered":"Hackers use pixel-large SVG trick to hide credit card stealer"},"content":{"rendered":"\n

\"Hackers<\/p>\n

A massive campaign impacting nearly 100 online stores using the Magento e-commerce platform hides credit card-stealing code in a pixel-sized Scalable Vector Graphics (SVG) image.<\/p>\n

When clicking the checkout button, the victim is shown a convincing overlay that can validate card details and billing data.<\/p>\n

The campaign was discovered by eCommerce security company Sansec, whose researchers believe that the attacker likely gained access by exploiting the PolyShell vulnerability<\/a> disclosed in mid-March.<\/p>\n

\"Hackers<\/a> <\/div>\n

PolyShell impacts all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover.<\/p>\n

Sansec warned that more than half of all vulnerable stores<\/a> were targeted in PolyShell attacks, which in some cases deployed payment card skimmers using WebRTC for stealthy data exfiltration.<\/p>\n

In the latest campaign, the researchers found that the malware is injected as a 1×1-pixel SVG element with an ‘onload’ handler into the target website’s HTML.<\/p>\n

“The onload handler contains the entire skimmer payload, base64-encoded inside an atob() call and executed via setTimeout,” Sansec explains<\/a>.<\/p>\n

“This technique avoids creating external script references that security scanners typically flag. The entire malware lives inline, encoded as a single string attribute.”<\/p>\n

When unsuspecting buyers click checkout on compromised stores, a malicious script intercepts the click and displays a fake “Secure Checkout” overlay that includes card details fields and a billing form.<\/p>\n

Payment data submitted on this page is validated in real time using the Luhn verification and exfiltrated to the attacker in an XOR-encrypted, base64-obfuscated JSON format.<\/p>\n

\n
\"Hackers
Decoded payload<\/strong>
Source: Sansec<\/em><\/figcaption><\/figure>\n<\/div>\n

Sansec identified six exfiltration domains, all hosted at IncogNet LLC (AS40663) in the Netherlands, and each getting data from 10 to 15 confirmed victims.<\/p>\n

To protect against this campaign, Sansec recommends the following:<\/p>\n

    \n
  • Look for hidden SVG tags with an onload attribute using atob() and remove them from your site files<\/li>\n
  • Check if the _mgx_cv key exists in browser localStorage, as this indicates payment data may have been stolen<\/li>\n
  • Monitor and block requests to \/fb_metrics.php or any unfamiliar analytics-like domains<\/li>\n
  • Block all traffic to the IP address 23.137.249.67 and associated domains<\/li>\n<\/ul>\n

    As of writing, Adobe has still not released a security update to address the PolyShell flaw in production versions of Magento. The vendor has only made a fix available in the pre-release version 2.4.9-alpha3+.<\/p>\n

    Also, Adobe has not responded to our repeated requests for a comment on the topic.<\/p>\n

    Website owners\/admins are advised to apply all available mitigations and, if possible, upgrade Magento to the latest beta release.<\/p>\n