Hackers Hide Magecart Skimmer on Magento Using SVG On

A massive Magecart campaign, identified on April 7, 2026, has compromised 99 Magento e-commerce stores. This sophisticated attack utilizes an innovative evasion technique, injecting credit card skimmers directly into checkout pages through invisible Scalable Vector Graphics (SVG) elements.

This “double-tap” skimmer displays a highly convincing fake payment overlay before silently redirecting shoppers to the legitimate checkout process, ensuring most victims remain completely unaware of the theft.

To evade traditional scanners, attackers are shifting to inline execution by injecting a hidden 1×1-pixel SVG element directly into a compromised store’s HTML.

SVG Onload Evasion Technique

The entire malicious payload is hidden within the SVG’s onload attribute, base64-encoded with atob() and executed via a setTimeout command.

Because the malware lives entirely inline as a single string attribute, it avoids creating the external script references that typically trigger automated security alerts.

Sansec security experts believe the initial entry vector for these mass infections is the ongoing PolyShell vulnerability, which continues to plague unpatched Magento and Adobe Commerce environments.

The skimmer activates the moment a shopper attempts to finalize their purchase. Using a JavaScript useCapture event listener, the malware intercepts clicks on any checkout button before the store’s legitimate code can respond.

It then generates a full-screen modal overlay titled “Secure Checkout,” complete with a trusted lock icon and real-time validation for credit card numbers.

Once the victim submits their billing information, the skimmer instantly encrypts the stolen data. The script applies an XOR cipher using the key “script” and encodes the final result in base64.

The malware then transmits this packaged data to one of six attacker-controlled domains.

To further mask the theft, the exfiltration endpoint is named /fb_metrics.php, disguising the malicious traffic as routine Facebook analytics data.

After a successful theft, the script drops a marker in the browser and sends the user to the real checkout page to complete their transaction.

According to Sansec research, administrators should immediately review their environments for the following signs of an active infection:

• All six exfiltration domains, including statistics-for-you.com and morningflexpleasure.com, resolve to a single Netherlands-based IP address: 23.137.249.67.
• Compromised page sources will feature <svg elements containing suspicious onload attributes and atob() decoding functions.
• The browser’s local storage contains the key _mgx_cv, which attackers use to prevent payment data for the same victim from being stolen twice.
• Network traffic logs will show data exfiltration via on fetch() POST requests in no-cors mode, with a hidden iframe serving as a fallback.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.