Magecart Campaign Hides Magento Card Skimmer in 1x1 SVG Images
A large Magecart campaign compromised nearly 100 Magento and Adobe Commerce stores by hiding a full credit-card skimmer inside a 1x1-pixel SVG embedded directly in checkout page HTML. Researchers said the malware stores its payload in the SVG onload handler, decodes it with atob(), and runs it via setTimeout, allowing it to evade scanners that typically look for externally loaded scripts. When shoppers click checkout, the skimmer displays a convincing fake "Secure Checkout" overlay that captures billing and payment details before validating card numbers with the Luhn algorithm.
The stolen data is exfiltrated as XOR-encrypted, base64-obfuscated JSON to attacker-controlled infrastructure, in some cases disguised as Facebook analytics traffic. Sansec linked the infections to exploitation of the PolyShell vulnerability, which affects Magento Open Source and Adobe Commerce stable version 2 deployments and can enable unauthenticated code execution and account takeover. Defenders were urged to hunt for hidden SVG tags and suspicious onload code, check for the _mgx_cv localStorage key, and block outbound traffic to the identified attacker infrastructure, including domains resolving to 23.137.249.67 hosted by IncogNet in the Netherlands.
Timeline
Apr 8, 2026
Researchers disclose SVG-based skimmer technique and IOCs
Researchers publicly detailed that the skimmer used an SVG onload handler with base64-decoded JavaScript, fake 'Secure Checkout' overlays, Luhn validation, and XOR/base64-obfuscated exfiltration. They also published indicators and hunting guidance, including the _mgx_cv localStorage key, attacker domains, and traffic to 23.137.249.67.
Apr 8, 2026
PolyShell vulnerability leaves Magento stores exposed
An ongoing PolyShell vulnerability affecting Magento Open Source and Adobe Commerce stable version 2 installations enabled unauthenticated code execution and account takeover, and researchers believe attackers likely used it to gain access to compromised stores. At the time of reporting, Adobe had not released a production security update, with a fix only available in pre-release version 2.4.9-alpha3+.
Apr 7, 2026
Magecart campaign compromises 99 Magento stores
Sansec discovered on 2026-04-07 a large-scale Magento skimming campaign affecting 99 online stores. The attackers hid a credit card skimmer inside a 1x1-pixel SVG embedded in checkout page HTML to evade detection.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Mass Exploitation of Magento SessionReaper (CVE-2025-54236) to Hijack Admin Sessions and Gain Root Access
Threat actors conducted a mass exploitation campaign against **Magento** e-commerce deployments by abusing **CVE-2025-54236** (aka **SessionReaper**), an authentication/session management flaw that allows attackers to bypass login controls by **reusing improperly invalidated session tokens**. Reporting based on an **Oasis Security** investigation described large-scale scanning that identified **1,000+ exposed/vulnerable Magento Commerce APIs** and confirmed compromises of **200+ websites** (with one count citing **216 victim sites**), indicating broad weaponization by multiple actors across regions. After hijacking valid admin sessions via replayed “zombie” tokens, intruders escalated privileges to achieve **root-level control** of affected Linux servers, enabling follow-on actions such as deploying **web shells** for persistent remote command execution and full administrative takeover of storefront infrastructure. Separately, research on **eSkimming/Magecart** activity highlighted that browser-based JavaScript payment-card theft remains persistent across e-commerce sites—often via third-party script/supply-chain compromise—and a longitudinal study of **550** previously compromised sites found **18%** still infected a year later, underscoring that e-commerce compromises frequently involve durable footholds and re-compromise even after initial cleanup.
1 months ago
Silent Push Uncovers Long-Running Magecart Web-Skimming Infrastructure Targeting Major Payment Networks
Silent Push reported a large-scale **Magecart-style web-skimming** operation active since early 2022 that uses an extensive domain network to support client-side JavaScript skimmers on compromised e-commerce checkout pages. The activity is assessed to impact **online shoppers** and organizations that are **clients of major payment providers**, with targeting noted against **American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay**; the skimmers are designed to quietly exfiltrate payment-card and other form data during transactions rather than disrupt systems. Technical reporting tied the infrastructure to domains hosting **highly obfuscated skimmer payloads** (e.g., `recorder.js`, `tab-gtm.js`) and described evasion logic that attempts to avoid execution when site administrators are present (e.g., checking the DOM for WordPress’ `wpadminbar`). The infrastructure analysis also linked parts of the campaign to a domain associated with the sanctioned bulletproof hosting ecosystem around **Stark Industries / PQ.Hosting**, which has been described as rebranding to *THE[.]Hosting* under **WorkTitans B.V.**, consistent with sanctions-evasion behavior; researchers emphasized that weak **third-party script governance** on payment pages remains a key enabling factor for this type of long-lived skimming operation.
1 months ago
PolyShell flaw in Magento enables unauthenticated file uploads and RCE
A critical Magento vulnerability dubbed **PolyShell** allows unauthenticated attackers to upload arbitrary files through the platform's REST API by disguising malicious payloads as image uploads in cart item custom options. The issue affects all stable versions of **Magento Open Source** and **Adobe Commerce**, and stems from Magento writing base64-encoded file data to a server-accessible upload directory, creating a path to compromise without prior authentication. Depending on web server configuration, successful exploitation can lead to **remote code execution** or **account takeover** through stored cross-site scripting. Adobe addressed the flaw in the `2.4.9` pre-release branch under **APSB25-94**, but no standalone production patch is available, leaving current deployments exposed. Researchers at Sansec said exploit methods are already circulating and warned that automated attacks are likely, urging administrators to restrict access to the affected upload directory, verify web server protections, and scan stores for web shells or other malware.
1 months ago