# Magento Stores Under Fire: Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images


A sophisticated threat campaign targeting approximately 100 Magento-powered online stores has exposed a clever obfuscation technique that leverages imperceptible SVG (Scalable Vector Graphics) images to inject credit card-stealing malware. The attack represents a significant evolution in e-commerce compromise tactics, combining supply chain vulnerabilities with advanced evasion methods to evade detection by security tools.


## The Threat


Security researchers have identified a coordinated attack campaign compromising Magento e-commerce installations through malicious code hidden within microscopically small SVG files. The attack vector exploits the visual blind spot of human observers and security scanning tools alike—the malicious payload is embedded in SVG graphics rendered at pixel dimensions (often 1×1 pixels), making it effectively invisible to site administrators reviewing code or performing routine audits.


Key threat indicators:

  • Scope: Nearly 100 Magento stores across multiple industries
  • Payload: JavaScript-based credit card skimming code
  • Delivery method: Compromised template files and JavaScript includes
  • Detection difficulty: Extreme—pixel-sized visual content bypasses most manual inspection
  • Data at risk: Customer payment card data, including PAN, CVV, and expiration dates

    • ## Background and Context


    Magento, the widely-used open-source e-commerce platform, remains a persistent target for threat actors due to its popularity and the complexity of maintaining security across its ecosystem. The platform powers approximately 1.5% of all websites globally and is particularly prevalent among enterprise retailers, making it an attractive target for card skimmers and other financial threat actors.


    Why Magento is a target:

  • Widespread deployment across enterprise retail environments
  • Legacy instances running outdated, unpatched versions
  • Complex supply chain of third-party extensions and themes
  • High-value payoff from access to customer payment data
  • Persistent vulnerabilities in extensions from lesser-known developers

    • The current campaign appears to represent an escalation in sophistication. Rather than deploying skimming code directly in checkout pages (a tactic that's become easier to detect), attackers are leveraging SVG steganography—hiding malicious content within image files in a way that evades traditional security analysis.


    ## Technical Details


    ### The SVG Evasion Technique


    SVG files are XML-based, text vector graphics that can be created with minimal file size. An attacker can embed JavaScript directly within SVG markup, and when a browser renders the SVG, the embedded script executes in the page context.


    The attack chain:


    1. Initial compromise — Attackers gain access to a Magento store through compromised admin credentials, vulnerable extensions, or SQL injection

    2. Malicious template injection — JavaScript code is injected into store template files or static asset directories

    3. SVG wrapping — The skimming code is wrapped inside an SVG file, often in a script tag or as data URIs

    4. Pixel-sized rendering — The SVG is configured to render at 1×1 or 2×2 pixel dimensions, making it invisible on the page

    5. Form interception — The embedded JavaScript listens for checkout form submissions and exfiltrates card data to attacker-controlled servers

    6. Data exfiltration — Captured card information is sent to a C2 server outside the victim's domain


    ### Why SVG Works as a Hiding Spot


    Traditional security tools scan JavaScript files for known skimming patterns and malicious code signatures. However, security scanners often:

  • Skip visual content analysis — SVG files are treated as benign graphics, not code
  • Miss nested execution contexts — Inline scripts within SVG tags are sometimes overlooked by static analysis
  • Lack behavioral analysis — Tools don't always monitor DOM manipulation triggered by SVG-embedded scripts

    • Additionally, pixel-sized visual content is almost never noticed during manual code review, as developers won't detect a 1×1 image visually or in screenshot comparisons.


    ## Implications for E-Commerce Organizations


    This campaign carries significant consequences for affected merchants and their customers:


    ### Immediate Risks

    | Impact | Details |

    |--------|---------|

    | Payment Card Data Loss | Customer card numbers, CVVs, and expiration dates compromised |

    | Compliance Violations | PCI DSS non-compliance due to malware infection |

    | Customer Liability | Fraudulent charges, identity theft, decreased customer trust |

    | Financial Penalties | PCI fines, chargeback fees, potential litigation |


    ### Long-Term Consequences

  • Reputational damage from customer data breaches
  • Loss of customer confidence and potential sales decline
  • Regulatory scrutiny from financial and data protection authorities
  • Increased operational costs for incident response and forensics

    • ## Recommendations


    ### For Magento Store Operators


    Immediate actions:

  • Scan for compromise using malware detection tools focused on SVG files and pixel-sized image resources
  • Review admin logs for unauthorized access and template modifications within the past 3-6 months
  • Inspect template files for unusual SVG includes or external JavaScript references
  • Check customer payment systems for unauthorized data exfiltration indicators

    • Short-term security measures:

  • Upgrade Magento to the latest patched version (2.4.6+ or equivalent LTS release)
  • Audit extensions for known vulnerabilities; remove unused or unsupported modules
  • Enforce strong authentication including multi-factor authentication (MFA) for admin accounts
  • Restrict file upload functionality to specific directories with strict file-type validation
  • Implement Content Security Policy (CSP) headers to limit script execution sources

    • Long-term hardening:

  • Deploy Web Application Firewall (WAF) with rules specifically targeting e-commerce threats
  • Enable payment tokenization to avoid storing raw card data in your systems
  • Use PCI-compliant payment gateways that handle card processing outside your infrastructure
  • Monitor for unusual API calls and data exfiltration patterns using behavioral analysis tools
  • Maintain regular security audits and penetration testing of payment pages

    • ### For Payment Processors and Card Networks


  • Monitor for anomalous card testing patterns that indicate compromised merchant environments
  • Implement velocity checks on suspicious transactions
  • Communicate breaches to affected cardholders and financial institutions promptly
  • Share indicators of compromise (IOCs) across the payments ecosystem

    • ### For the Security Community


  • Develop detection signatures for SVG-based skimming code, including behavioral patterns
  • Educate web developers on SVG security implications and safe file handling
  • Create public threat intel on C2 infrastructure used by this campaign
  • Build automated scanning tools that analyze embedded scripts within media files

    • ## Conclusion


    The Magento SVG skimming campaign represents a notable shift in e-commerce attack sophistication. By hiding malicious code in imperceptibly small images, threat actors have discovered a detection gap that traditional security tools struggle to address. Organizations running Magento or any e-commerce platform must prioritize comprehensive security assessments, keep systems fully patched, and implement layered defenses that go beyond reactive malware scanning.


    The lesson is clear: attackers will continue to exploit the gaps between human perception and automated detection. Only through a combination of proactive hardening, behavioral monitoring, and ongoing threat intelligence can organizations hope to stay ahead of these sophisticated threats.