Security researchers have uncovered a sophisticated web skimming campaign targeting nearly 100 Magento-powered online stores, in which attackers conceal credit card-stealing JavaScript inside a pixel-sized Scalable Vector Graphics (SVG) image — a deceptive technique designed to evade visual detection and automated security scans.
The SVG Hiding Technique
Traditional web skimmer injections embed malicious JavaScript directly into page source code or external script files, where they can be spotted by file integrity monitoring, content security policy violations, or visual review. This campaign takes a more subtle approach:
- A malicious SVG file (rendered as a single 1×1 pixel invisible to the human eye) is uploaded or injected into the targeted Magento store
- The SVG contains embedded JavaScript within its XML structure — a feature of the SVG format that legitimate use cases also employ
- The browser silently executes the embedded script when the page loads, as SVG content is parsed as part of the DOM
- The injected script intercepts payment form submissions, capturing credit card numbers, expiry dates, CVV codes, and billing information before the data reaches the payment processor
The result is a skimmer that hides in plain sight — visually invisible, and difficult to detect without purpose-built scanning tools that inspect SVG content for executable code.
Why Magento?
Magento (now Adobe Commerce) remains one of the most widely deployed e-commerce platforms globally, particularly among mid-market retailers. Its popularity, combined with a historically complex update cycle, means that many deployments run outdated versions with known vulnerabilities. Attackers routinely target Magento installations via:
- Outdated plugin vulnerabilities with publicly available exploits
- Compromised admin credentials through credential stuffing or phishing
- Server-side injection via file upload vulnerabilities or remote code execution flaws
- Third-party theme and extension supply chain weaknesses
Once an attacker gains access to the Magento admin panel or server filesystem, injecting a malicious SVG is trivial — it can be embedded in a theme template, product image directory, or even a CMS block that renders across checkout pages.
Scale and Impact
Researchers identified the campaign active across nearly 100 online stores, though the actual number of affected shops may be higher given the difficulty of detection. Victims of the skimmer include any customers who entered payment details on the compromised checkout pages during the active infection window.
The stolen data is typically exfiltrated to an attacker-controlled server in real time, often encoded in base64 or encrypted to further obscure the transmission. Data collected by these skimmers is subsequently sold on criminal marketplaces or used directly for fraudulent purchases.
Detection Challenges
The SVG-based hiding technique poses specific challenges for defenders:
| Challenge | Detail |
|---|---|
| Visual inspection | A 1×1 pixel SVG is functionally invisible on any page |
| File integrity monitoring | Requires monitoring image directories in addition to JS/PHP files |
| Content Security Policy | SVG-embedded scripts may bypass CSP if the SVG is served from the same origin |
| AV/EDR scanning | Many endpoint scanners do not parse SVG XML for embedded JavaScript |
| Browser behavior | Browsers execute SVG-embedded scripts without user warning |
Security teams conducting incident response on Magento stores should explicitly inspect SVG files in pub/media/ and theme directories for <script> tags or obfuscated JavaScript content.
Indicators of Compromise
Organizations should scan for the following in Magento store files:
# Search for script tags inside SVG files
grep -r "<script" /path/to/magento/pub/media/ --include="*.svg"
grep -r "javascript" /path/to/magento/pub/media/ --include="*.svg"
# Check for recently modified SVG files (potential injection)
find /path/to/magento/ -name "*.svg" -newer /path/to/magento/index.php -type f
# Look for base64-encoded content in SVG files (obfuscated payload)
grep -r "base64" /path/to/magento/pub/media/ --include="*.svg"
# Search for external data exfiltration endpoints in all JS/SVG/HTML
grep -rE "fetch\(|XMLHttpRequest|navigator\.sendBeacon" /path/to/magento/pub/ --include="*.svg"Remediation Steps
- Audit all SVG files in the Magento media directory and theme folders for embedded
<script>tags or JavaScript - Implement a strict Content Security Policy that blocks inline scripts and restricts script sources to known-good domains
- Restrict SVG file uploads — if SVG is not required, disable the file type in Magento's allowed media types
- Sanitize SVG uploads with a server-side library (e.g.,
svg-sanitize) that strips executable content before storage - Enable file integrity monitoring on Magento's pub/media and theme directories
- Update Magento to the latest patched release and audit all installed extensions for known vulnerabilities
- Rotate admin credentials and enable two-factor authentication on the Magento admin panel
- Deploy a server-side payment page scanner such as those offered by Sansec or similar Magento security vendors
Broader Context
SVG-based skimmer hiding is an evolution of the Magecart family of web skimming attacks that have plagued e-commerce platforms since 2016. Criminal groups operating Magecart-style campaigns continuously innovate their concealment techniques as defenders develop detection capabilities — embedding code in favicon files, WebSocket connections, third-party analytics tags, and now pixel-sized SVG images.
For online retailers, the lesson is clear: payment page security requires active, automated scanning of all file types served on checkout pages — not just JavaScript files — combined with a layered defence strategy including strict CSP headers, sub-resource integrity checks, and server-side integrity monitoring.
Source: BleepingComputer — Hackers Use Pixel-Large SVG Trick to Hide Credit Card Stealer