Hackers Use Pixel-Large SVG Trick to Hide Credit Card Stealer

The use of a single‑pixel SVG as a delivery vehicle marks a sophisticated evolution in web‑based malware. By embedding the entire payload in an onload attribute, attackers avoid external script references that most security scanners flag, allowing the malicious code to execute silently when a shopper interacts with the checkout button. This method also leverages the browser’s native ability to decode base64 strings, making detection even more challenging for traditional defenses that focus on external file loads.

Magento powers a substantial share of global e‑commerce, and the recent PolyShell vulnerability has opened a backdoor for unauthenticated code execution across all supported versions. Exploiting this flaw, threat actors can inject the SVG skimmer directly into the storefront’s HTML, presenting a convincing "Secure Checkout" overlay that validates card numbers with Luhn checks before exfiltrating data. The campaign’s scale—targeting nearly 100 stores and routing stolen credentials to six domains in the Netherlands—underscores the high financial incentive and the ease with which a single exploit can compromise multiple merchants.

Mitigation now hinges on rapid detection and remediation. Security teams should scan for hidden SVG tags with onload attributes, monitor for the _mgx_cv key in localStorage, and block traffic to known exfiltration endpoints, including the IP 23.137.249.67. While Adobe has released a fix in the 2.4.9‑alpha3+ pre‑release, the lack of a production patch leaves many sites vulnerable. Organizations are advised to apply all available hardening measures, consider upgrading to the beta version, and adopt a defense‑in‑depth strategy that includes web‑application firewalls and continuous code integrity monitoring to stay ahead of such stealthy attacks.