Magecart Skimmer Exploits SVG Vulnerability on Magento Checkout Pages
Key Takeaways A significant Magecart campaign, discovered on April 7, 2026, has compromised 99 Magento e-commerce sites. The attackers employ an innovative SVG-based skimmer that injects malicious...
Key Takeaways
- A significant Magecart campaign, discovered on April 7, 2026, has compromised 99 Magento e-commerce sites.
- The attackers employ an innovative SVG-based skimmer that injects malicious code directly into checkout pages, making it difficult to detect.
- The skimmer presents a convincing fake payment overlay, steals credit card details, encrypts them, and then redirects victims to the legitimate checkout process, often without their knowledge.
- The PolyShell vulnerability is suspected to be the initial entry point for these widespread infections.
- Immediate action is required for Magento and Adobe Commerce administrators to identify and mitigate the threat.
Sophisticated Magecart Campaign Leverages SVG Vulnerability on Magento Platforms
A new, highly evasive Magecart campaign, identified on April 7, 2026, has successfully breached 99 Magento e-commerce stores. This advanced attack method introduces credit card skimmers directly onto checkout pages by embedding malicious code within invisible Scalable Vector Graphics (SVG) elements, a technique designed to bypass conventional security measures.
Table Of Content
The operation, dubbed a “double-tap” skimmer, deceives shoppers by presenting a lifelike fake payment interface. After illicitly capturing payment information, it seamlessly redirects users to the authentic checkout flow, ensuring most victims remain unaware of the data theft.
SVG Onload Evasion Technique Detailed
To circumvent standard scanning tools, the attackers are utilizing inline execution. This involves injecting a concealed 1×1-pixel SVG element directly into the HTML of compromised storefronts. The entire malicious payload is hidden within the SVG’s onload attribute, base64-encoded using atob(), and then executed via a setTimeout command. Because the malware resides entirely inline as a single string attribute, it avoids creating external script references, which typically trigger automated security alerts.
Security researchers at Sansec suggest that the initial compromise vector for these mass infections is the ongoing PolyShell vulnerability, which continues to affect unpatched Magento and Adobe Commerce environments.
How the Skimmer Operates
The skimmer activates the moment a customer attempts to finalize a purchase. By employing a JavaScript useCapture event listener, the malware intercepts clicks on any checkout button before the legitimate store code can respond. It then generates a full-screen modal overlay, labeled “Secure Checkout,” complete with a trusted lock icon and real-time validation for credit card numbers.
Upon submission of billing details by the victim, the skimmer immediately encrypts the stolen data. The script applies an XOR cipher using the key “script” and subsequently encodes the final result in base64. This packaged data is then transmitted to one of six attacker-controlled domains. To further obscure the theft, the exfiltration endpoint is named /fb_metrics.php, camouflaging the malicious traffic as routine Facebook analytics data. After a successful data theft, the script places a marker in the browser and redirects the user to the genuine checkout page to complete their transaction.
What You Should Do
Administrators of Magento and Adobe Commerce platforms must immediately review their environments for signs of active infection. Sansec research highlights several indicators:
- Check if the six identified exfiltration domains, including
statistics-for-you.comandmorningflexpleasure.com, resolve to the IP address23.137.249.67(Netherlands-based). - Inspect compromised page sources for
<svg>elements containing suspiciousonloadattributes andatob()decoding functions. - Examine the browser’s local storage for the key
_mgx_cv, which attackers use to prevent duplicate data theft from the same victim. - Monitor network traffic logs for data exfiltration via
fetch()POST requests inno-corsmode, potentially with a hidden iframe as a fallback mechanism. - Ensure all Magento and Adobe Commerce installations are patched against known vulnerabilities, especially the PolyShell vulnerability.
- Implement robust content security policies (CSPs) to restrict inline script execution and limit external resource loading.
- Regularly scan e-commerce environments with specialized tools capable of detecting advanced skimmer techniques.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.