What’s Happening?

Cybersecurity researchers have uncovered a large-scale campaign where attackers are hiding credit card skimmers inside 1×1 pixel SVG images—a stealthy technique that allows malicious code to bypass traditional detection systems.

The campaign has impacted nearly 100 Magento-based e-commerce stores, with attackers injecting invisible SVG elements directly into website code.

This marks a significant evolution in web skimming attacks, blending malicious payloads into what appears to be harmless image content.

Attack Overview

How the Attack Works

The attack chain is both elegant and dangerous:

1. Initial Compromise

Attackers likely exploit the PolyShell vulnerability, which enables unauthenticated access and takeover of Magento stores.

2. Malicious SVG Injection

A 1×1 pixel SVG image is injected into the website’s HTML. This image is invisible to users but contains embedded JavaScript.

3. Payload Execution

The SVG uses an onload handler to execute a base64-encoded skimmer script, decoded via atob() and triggered with setTimeout.

4. Fake Checkout Overlay

When users click “checkout,” a fake secure payment form is displayed, mimicking legitimate checkout pages.

5. Data Theft

• Card details are validated using Luhn algorithm checks

• Data is exfiltrated in XOR-encrypted, base64-obfuscated JSON format

Why This Attack Is Dangerous

This technique is particularly effective because:

• Invisible payload: A 1×1 pixel image raises no suspicion

• Inline execution: No external scripts → avoids detection

• Trusted format abuse: SVGs are treated as safe images

• Scanner evasion: Traditional tools look for external JS, not inline attributes

Security researchers noted that the entire malware exists as a single encoded string inside an HTML attribute, making it extremely difficult to detect.

Technical Breakdown

Who Is Affected?

• Magento Open Source stores

• Adobe Commerce installations

• E-commerce businesses handling online payments

More than half of vulnerable stores were reportedly targeted in PolyShell exploitation attempts.

Key Indicators of Compromise (IOCs)

Security teams should look for:

• Unexpected SVG elements in HTML code

• Inline onload handlers in image tags

• Base64-encoded JavaScript blobs

• Suspicious checkout overlays

• Outbound traffic to unknown domains during checkout

How to Defend Against This

For Security Teams

• Patch Magento instances against PolyShell vulnerability

• Monitor for inline SVG execution

• Implement client-side integrity monitoring

• Use behavior-based detection instead of signature-only tools

For Businesses

• Regularly audit website code for unauthorized changes

• Deploy web application firewalls (WAFs)

• Monitor checkout workflows for anomalies

For Users

• Be cautious if checkout pages look slightly unusual

• Avoid entering payment details on unfamiliar overlays

ClearPhish Insight

This campaign highlights a growing trend: malware hiding in plain sight.

Attackers are shifting away from traditional payload delivery and instead embedding malicious logic into:

• Images (SVG)

• HTML attributes

• Browser-executed scripts

This means your browser is now the attack surface—not just downloaded files.

Final Takeaway

The pixel-sized SVG skimmer is a powerful reminder that anything rendered in a browser can be weaponized.

As attackers continue to innovate, organizations must move beyond traditional detection and adopt:

• Client-side security monitoring

• Real-time threat visibility

• Advanced phishing simulation and awareness training

Because in modern attacks…

The smallest pixel can carry the biggest threat.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.