Skip to main content
TechnologyApr 9, 2026· 3 min read

Attack on Magento: How a 1-Pixel Image Can Steal Credit Cards

A massive attack campaign is targeting dozens of e-commerce sites based on the Magento Open Source and Adobe Commerce platforms, leveraging an effective obfuscation technique. The attackers inject a 1x1 pixel SVG (Scalable Vector Graphics) element into the compromised stores, rendering it effectively invisible to the user. This small piece of code contains an onload handler that acts as a detonator for the malicious payload, encoded in base64 within an atob() call and executed via the setTimeout function.

The use of SVG as an attack vector allows cybercriminals to evade common signature-based detection systems. Many security scanners, in fact, limit their searches to looking for references to suspicious external scripts, while in this case, the entire malware resides inline in the form of a string attribute within an apparently harmless image tag.

Invisible Skimming: The Threat Runs on a Single Pixel

According to analyses conducted by researchers at Sansec, the entry point for these attacks is a vulnerability known as PolyShell, made public in mid-March. This is a critical flaw that allows for unauthenticated code execution and complete takeover of accounts across all stable installations of Magento version 2. Although the vulnerability is known, Adobe has not yet released a corrective update for production versions, limiting the fix exclusively to the pre-release version 2.4.9-alpha3+. This delay exposes thousands of merchants to potential compromises, with over half of the vulnerable stores already targeted by attackers using various exfiltration techniques, including skimmers that exploit WebRTC channels.

Once the code is executed in the victim's browser, the malware waits for the user to click the purchase button. At that point, it intercepts the action and displays a graphical overlay that perfectly mimics a "Secure Checkout" page. The user, convinced they are on a secure connection provided by the merchant, enters their credit card details and billing information. The malware not only steals the data but also implements real-time validation through the Luhn algorithm, ensuring that the entered card numbers are formally valid before proceeding to send them. To make the operation even more persistent and less suspicious, the system saves a key in the browser's localStorage after the theft. This signals to the malware that the user has already been "analyzed", avoiding the display of the fake overlay in subsequent sessions and reducing the chances that the merchant or end user notices the anomaly.

The captured data is aggregated in a JSON format, obfuscated via static key XOR encryption ("script"), and subsequently encoded in base64. Exfiltration occurs towards domains controlled by the attackers, many of which are hosted on the infrastructure of IncogNet LLC in the Netherlands. Malicious traffic is often masked as statistical analysis calls, targeting endpoints like /fb_metrics.php to simulate the activity of a Facebook tracker. To bypass CORS (Cross-Origin Resource Sharing) restrictions, the skimmer attempts to send via the fetch() function in no-cors mode or, alternatively, through a hidden iframe.

To mitigate the risk, system administrators should scour the frontend source code for suspicious SVG tags containing onload attributes, monitor calls to unauthorized analytics domains, and, where possible, upgrade to the beta version of Magento while awaiting the official final patch.

App IO and IT-Wallet: 14-Year-Olds Will Be Able to Access Without Parental ConsentBending CPUs and Improved Contact: Is Intel Considering a Dual-Lever Retention Mechanism?