Magecart Campaign Hides Magento Card Skimmer in 1x1 SVG Images
A large Magecart campaign compromised nearly 100 Magento and Adobe Commerce stores by hiding a full credit-card skimmer inside a 1x1-pixel SVG embedded directly in checkout page HTML. Researchers said the malware stores its payload in the SVG onload handler, decodes it with atob(), and runs it via setTimeout, allowing it to evade scanners that typically look for externally loaded scripts. When shoppers click checkout, the skimmer displays a convincing fake "Secure Checkout" overlay that captures billing and payment details before validating card numbers with the Luhn algorithm.
The stolen data is exfiltrated as XOR-encrypted, base64-obfuscated JSON to attacker-controlled infrastructure, in some cases disguised as Facebook analytics traffic. Sansec linked the infections to exploitation of the PolyShell vulnerability, which affects Magento Open Source and Adobe Commerce stable version 2 deployments and can enable unauthenticated code execution and account takeover. Defenders were urged to hunt for hidden SVG tags and suspicious onload code, check for the _mgx_cv localStorage key, and block outbound traffic to the identified attacker infrastructure, including domains resolving to 23.137.249.67 hosted by IncogNet in the Netherlands.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose SVG-based skimmer technique and IOCs
Researchers publicly detailed that the skimmer used an SVG onload handler with base64-decoded JavaScript, fake 'Secure Checkout' overlays, Luhn validation, and XOR/base64-obfuscated exfiltration. They also published indicators and hunting guidance, including the _mgx_cv localStorage key, attacker domains, and traffic to 23.137.249.67.
PolyShell vulnerability leaves Magento stores exposed
An ongoing PolyShell vulnerability affecting Magento Open Source and Adobe Commerce stable version 2 installations enabled unauthenticated code execution and account takeover, and researchers believe attackers likely used it to gain access to compromised stores. At the time of reporting, Adobe had not released a production security update, with a fix only available in pre-release version 2.4.9-alpha3+.
Magecart campaign compromises 99 Magento stores
Sansec discovered on 2026-04-07 a large-scale Magento skimming campaign affecting 99 online stores. The attackers hid a credit card skimmer inside a 1x1-pixel SVG embedded in checkout page HTML to evade detection.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Magecart Skimmer Abuses Google Tag Manager and Stripe API to Steal Card Data
Researchers at Sansec uncovered a Magecart campaign that uses trusted **Google Tag Manager** and **Stripe** infrastructure to steal payment data from e-commerce checkout pages. The skimmer is delivered through a malicious but legitimate-looking GTM container and activates on **Magento** and **Adobe Commerce** checkout flows, where it harvests card numbers, expiration dates, CVV codes, names, billing addresses, email addresses, and phone numbers. The malware retrieves additional JavaScript from Stripe customer metadata and executes it dynamically, helping the attack blend into normal traffic to trusted services. The stolen data is obfuscated with **XOR**, stored locally, and later exfiltrated by creating fake customer records in an attacker-controlled Stripe account, causing the theft to appear as ordinary traffic to `api.stripe.com` and potentially bypass content security policies and network filtering. Sansec also identified a variant that uses **Google Firestore** instead of Stripe, pulling payloads from a document named `tracking/captcha` in a project called `braintree-payment-app`. Researchers said the Stripe customer record used to host the skimmer was created on Dec. 24, 2025, indicating the campaign may have been active since at least then.
Jun 5, 2026
Magecart Campaign Hid Payment Skimmers in Google Tag Manager Containers
A long-running **Magecart** operation linked to the **ATMZOW** skimmer family abused **Google Tag Manager (GTM)** to inject credit-card theft code into compromised ecommerce checkout pages, according to Sucuri. The attackers hid malicious JavaScript inside GTM containers served through `googletagmanager.com`, exploiting the trust many sites place in that domain while using multi-stage obfuscation to steal payment data. Sucuri said the activity affected hundreds of sites, with one malicious container, `GTM-WJV6J6`, detected 178 times before removal, and tied the campaign to Magento-focused compromises dating back to the 2015 **Guruincsite** infections. Researchers said the operators rotated payload delivery through about 40 newly registered lookalike domains, used **Cloudflare** to shield infrastructure, and stored selected domains in browser local storage to complicate analysis and blocking. After Google removed malicious containers such as `GTM-WJ6S9J6` and `GTM-TVKQ79ZS`, the attackers quickly replaced them with new IDs including `GTM-NTV2JTB4` and `GTM-MX7L8F2M`, showing persistent reinfection efforts; in at least one case, the GTM-based skimmer ran alongside a separate WebSocket-based skimmer, indicating overlapping compromises and continued adaptation by the threat actor.
Jun 8, 2026Mass Exploitation of Magento SessionReaper (CVE-2025-54236) to Hijack Admin Sessions and Gain Root Access
Threat actors conducted a mass exploitation campaign against **Magento** e-commerce deployments by abusing **CVE-2025-54236** (aka **SessionReaper**), an authentication/session management flaw that allows attackers to bypass login controls by **reusing improperly invalidated session tokens**. Reporting based on an **Oasis Security** investigation described large-scale scanning that identified **1,000+ exposed/vulnerable Magento Commerce APIs** and confirmed compromises of **200+ websites** (with one count citing **216 victim sites**), indicating broad weaponization by multiple actors across regions. After hijacking valid admin sessions via replayed “zombie” tokens, intruders escalated privileges to achieve **root-level control** of affected Linux servers, enabling follow-on actions such as deploying **web shells** for persistent remote command execution and full administrative takeover of storefront infrastructure. Separately, research on **eSkimming/Magecart** activity highlighted that browser-based JavaScript payment-card theft remains persistent across e-commerce sites—often via third-party script/supply-chain compromise—and a longitudinal study of **550** previously compromised sites found **18%** still infected a year later, underscoring that e-commerce compromises frequently involve durable footholds and re-compromise even after initial cleanup.
Mar 21, 2026