Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Magecart Skimmer Exploits SVG Vulnerability on Magento Checkout Pages
CyberSecurity News

Magecart Skimmer Exploits SVG Vulnerability on Magento Checkout Pages

Key Takeaways A significant Magecart campaign, discovered on April 7, 2026, has compromised 99 Magento e-commerce sites. The attackers employ an innovative SVG-based skimmer that injects malicious...

Jennifer sherman
Jennifer sherman
April 10, 2026 3 Min Read
42 0

Key Takeaways

  • A significant Magecart campaign, discovered on April 7, 2026, has compromised 99 Magento e-commerce sites.
  • The attackers employ an innovative SVG-based skimmer that injects malicious code directly into checkout pages, making it difficult to detect.
  • The skimmer presents a convincing fake payment overlay, steals credit card details, encrypts them, and then redirects victims to the legitimate checkout process, often without their knowledge.
  • The PolyShell vulnerability is suspected to be the initial entry point for these widespread infections.
  • Immediate action is required for Magento and Adobe Commerce administrators to identify and mitigate the threat.

Sophisticated Magecart Campaign Leverages SVG Vulnerability on Magento Platforms

A new, highly evasive Magecart campaign, identified on April 7, 2026, has successfully breached 99 Magento e-commerce stores. This advanced attack method introduces credit card skimmers directly onto checkout pages by embedding malicious code within invisible Scalable Vector Graphics (SVG) elements, a technique designed to bypass conventional security measures.

Table Of Content

  • Key Takeaways
  • Sophisticated Magecart Campaign Leverages SVG Vulnerability on Magento Platforms
  • SVG Onload Evasion Technique Detailed
  • How the Skimmer Operates
  • What You Should Do

The operation, dubbed a “double-tap” skimmer, deceives shoppers by presenting a lifelike fake payment interface. After illicitly capturing payment information, it seamlessly redirects users to the authentic checkout flow, ensuring most victims remain unaware of the data theft.

SVG Onload Evasion Technique Detailed

To circumvent standard scanning tools, the attackers are utilizing inline execution. This involves injecting a concealed 1×1-pixel SVG element directly into the HTML of compromised storefronts. The entire malicious payload is hidden within the SVG’s onload attribute, base64-encoded using atob(), and then executed via a setTimeout command. Because the malware resides entirely inline as a single string attribute, it avoids creating external script references, which typically trigger automated security alerts.

Security researchers at Sansec suggest that the initial compromise vector for these mass infections is the ongoing PolyShell vulnerability, which continues to affect unpatched Magento and Adobe Commerce environments.

How the Skimmer Operates

The skimmer activates the moment a customer attempts to finalize a purchase. By employing a JavaScript useCapture event listener, the malware intercepts clicks on any checkout button before the legitimate store code can respond. It then generates a full-screen modal overlay, labeled “Secure Checkout,” complete with a trusted lock icon and real-time validation for credit card numbers.

Upon submission of billing details by the victim, the skimmer immediately encrypts the stolen data. The script applies an XOR cipher using the key “script” and subsequently encodes the final result in base64. This packaged data is then transmitted to one of six attacker-controlled domains. To further obscure the theft, the exfiltration endpoint is named /fb_metrics.php, camouflaging the malicious traffic as routine Facebook analytics data. After a successful data theft, the script places a marker in the browser and redirects the user to the genuine checkout page to complete their transaction.

What You Should Do

Administrators of Magento and Adobe Commerce platforms must immediately review their environments for signs of active infection. Sansec research highlights several indicators:

  • Check if the six identified exfiltration domains, including statistics-for-you.com and morningflexpleasure.com, resolve to the IP address 23.137.249.67 (Netherlands-based).
  • Inspect compromised page sources for <svg> elements containing suspicious onload attributes and atob() decoding functions.
  • Examine the browser’s local storage for the key _mgx_cv, which attackers use to prevent duplicate data theft from the same victim.
  • Monitor network traffic logs for data exfiltration via fetch() POST requests in no-cors mode, potentially with a hidden iframe as a fallback mechanism.
  • Ensure all Magento and Adobe Commerce installations are patched against known vulnerabilities, especially the PolyShell vulnerability.
  • Implement robust content security policies (CSPs) to restrict inline script execution and limit external resource loading.
  • Regularly scan e-commerce environments with specialized tools capable of detecting advanced skimmer techniques.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwarePatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

AWS Patches Critical RCE and Privilege Escalation in Nimble Studio

Next Post

Critical Flaw in 11 AI Models, Including ChatGPT, Claude, Gemini

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us