Hackers use pixel-large SVG trick to hide credit card stealer

A large-scale MageCart campaign has compromised nearly 100 Magento-based online stores by hiding credit card skimmer code inside a 1x1-pixel SVG element. The malicious payload is base64-encoded in an 'onload' attribute, avoiding detection by security scanners that look for external script references. When shoppers click checkout, a fake 'Secure Checkout' overlay captures card and billing details, validates them via Luhn algorithm, and exfiltrates them XOR-encrypted to attacker-controlled domains. The attack likely exploits the unpatched PolyShell RCE vulnerability in Magento. Adobe has not yet released a production fix; only a pre-release alpha patch exists. Sansec recommends scanning for hidden SVG onload tags, checking browser localStorage for the _mgx_cv key, and blocking known exfiltration IPs and domains.