Magento Skimmer Hides in 1×1 SVG Pixel, Hits ~100 Stores

Attackers have compromised roughly 100 Magento stores by injecting a credit card skimmer into a single-pixel SVG element embedded directly in page HTML. The malware encodes its entire payload as a base64 string inside the SVG’s onload handler, executing via setTimeout - a technique that sidesteps external script detection since nothing is loaded from a remote URL. Victims see a convincing fake ‘Secure Checkout’ overlay when they click the checkout button; card details entered there are validated with the Luhn algorithm and exfiltrated as XOR-encrypted, base64-obfuscated JSON to one of six attacker-controlled domains hosted at IncogNet LLC in the Netherlands.

The initial access vector is almost certainly PolyShell, an unauthenticated remote code execution flaw disclosed in mid-March that affects all Magento Open Source and Adobe Commerce v2 stable releases. Sansec estimates more than half of exposed stores have already been hit by PolyShell-based attacks, some deploying WebRTC-based skimmers for covert exfiltration.

Adobe has not patched PolyShell in any stable release - a fix exists only in the pre-release 2.4.9-alpha3 build. Sansec advises store operators to audit HTML for SVG tags with atob()-containing onload attributes, check browser localStorage for the _mgx_cv key as an indicator of compromise, and block traffic to 23.137.249.67 and /fb_metrics.php endpoints.