Hackers Use Pixel-Sized SVG Trick to Hide Credit Card Stealers
Apr 10, 2026
What’s Happening?
Cybersecurity researchers have uncovered a large-scale campaign where attackers are hiding credit card skimmers inside 1×1 pixel SVG images—a stealthy technique that allows malicious code to bypass traditional detection systems.
The campaign has impacted nearly 100 Magento-based e-commerce stores, with attackers injecting invisible SVG elements directly into website code.
This marks a significant evolution in web skimming attacks, blending malicious payloads into what appears to be harmless image content.
Attack Overview
Category | Details |
|---|---|
Attack Type | Web skimming / Magecart-style attack |
Delivery Method | Malicious 1×1 pixel SVG embedded in HTML |
Target | Magento-based e-commerce websites |
Payload | Credit card skimmer (JavaScript) |
Impact | Theft of payment and billing data |
Scale | ~100 compromised online stores |
Discovery | Sansec researchers |
How the Attack Works
The attack chain is both elegant and dangerous:
1. Initial Compromise
Attackers likely exploit the PolyShell vulnerability, which enables unauthenticated access and takeover of Magento stores.
2. Malicious SVG Injection
A 1×1 pixel SVG image is injected into the website’s HTML. This image is invisible to users but contains embedded JavaScript.
3. Payload Execution
The SVG uses an onload handler to execute a base64-encoded skimmer script, decoded via atob() and triggered with setTimeout.
4. Fake Checkout Overlay
When users click “checkout,” a fake secure payment form is displayed, mimicking legitimate checkout pages.
5. Data Theft
Card details are validated using Luhn algorithm checks
Data is exfiltrated in XOR-encrypted, base64-obfuscated JSON format
Why This Attack Is Dangerous
This technique is particularly effective because:
Invisible payload: A 1×1 pixel image raises no suspicion
Inline execution: No external scripts → avoids detection
Trusted format abuse: SVGs are treated as safe images
Scanner evasion: Traditional tools look for external JS, not inline attributes
Security researchers noted that the entire malware exists as a single encoded string inside an HTML attribute, making it extremely difficult to detect.
Technical Breakdown
Component | Description |
|---|---|
SVG Element | 1×1 pixel image embedded in HTML |
Execution Trigger |
|
Obfuscation | Base64 encoding + |
Execution Method |
|
Data Validation | Luhn algorithm |
Exfiltration | XOR-encrypted JSON via attacker-controlled domains |
Who Is Affected?
Magento Open Source stores
Adobe Commerce installations
E-commerce businesses handling online payments
More than half of vulnerable stores were reportedly targeted in PolyShell exploitation attempts.
Key Indicators of Compromise (IOCs)
Security teams should look for:
Unexpected SVG elements in HTML code
Inline
onloadhandlers in image tagsBase64-encoded JavaScript blobs
Suspicious checkout overlays
Outbound traffic to unknown domains during checkout
How to Defend Against This
For Security Teams
Patch Magento instances against PolyShell vulnerability
Monitor for inline SVG execution
Implement client-side integrity monitoring
Use behavior-based detection instead of signature-only tools
For Businesses
Regularly audit website code for unauthorized changes
Deploy web application firewalls (WAFs)
Monitor checkout workflows for anomalies
For Users
Be cautious if checkout pages look slightly unusual
Avoid entering payment details on unfamiliar overlays
ClearPhish Insight
This campaign highlights a growing trend: malware hiding in plain sight.
Attackers are shifting away from traditional payload delivery and instead embedding malicious logic into:
Images (SVG)
HTML attributes
Browser-executed scripts
This means your browser is now the attack surface—not just downloaded files.
Final Takeaway
The pixel-sized SVG skimmer is a powerful reminder that anything rendered in a browser can be weaponized.
As attackers continue to innovate, organizations must move beyond traditional detection and adopt:
Client-side security monitoring
Real-time threat visibility
Advanced phishing simulation and awareness training
Because in modern attacks…
The smallest pixel can carry the biggest threat.
Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.
