Hackers Use SVG Onload Trick to Hide Magecart Skimmer on Magento Checkout Pages

A massive Magecart campaign compromising 99 Magento e-commerce stores using an innovative evasion technique. Discovered on April 7, 2026, the attack relies on invisible Scalable Vector Graphics (SVG) elements to inject credit card skimmers directly into checkout pages.

This “double-tap” skimmer displays a highly convincing fake payment overlay before silently redirecting shoppers to the legitimate checkout process, ensuring most victims remain completely unaware of the theft.

To evade traditional scanners, attackers are shifting to inline execution by injecting a hidden 1×1-pixel SVG element directly into a compromised store’s HTML.

SVG Onload Evasion Technique

The entire malicious payload is hidden within the SVG’s onload attribute, base64-encoded with atob() and executed via a setTimeout command.

Because the malware lives entirely inline as a single string attribute, it avoids creating the external script references that typically trigger automated security alerts.

Sansec security experts believe the initial entry vector for these mass infections is the ongoing PolyShell vulnerability, which continues to plague unpatched Magento and Adobe Commerce environments.

The skimmer activates the moment a shopper attempts to finalize their purchase. Using a JavaScript useCapture event listener, the malware intercepts clicks on any checkout button before the store’s legitimate code can respond.

It then generates a full-screen modal overlay titled “Secure Checkout,” complete with a trusted lock icon and real-time validation for credit card numbers.

Once the victim submits their billing information, the skimmer instantly encrypts the stolen data. The script applies an XOR cipher using the key “script” and encodes the final result in base64.

The malware then transmits this packaged data to one of six attacker-controlled domains.

To further mask the theft, the exfiltration endpoint is named /fb_metrics.php, disguising the malicious traffic as routine Facebook analytics data.

After a successful theft, the script drops a marker in the browser and sends the user to the real checkout page to complete their transaction.

According to Sansec research, administrators should immediately review their environments for the following signs of an active infection:

• All six exfiltration domains, including statistics-for-you.com and morningflexpleasure.com, resolve to a single Netherlands-based IP address: 23.137.249.67.
• Compromised page sources will feature <svg elements containing suspicious onload attributes and atob() decoding functions.
• The browser’s local storage contains the key _mgx_cv, which attackers use to prevent payment data for the same victim from being stolen twice.
• Network traffic logs will show data exfiltration via on fetch() POST requests in no-cors mode, with a hidden iframe serving as a fallback.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Use SVG Onload Trick to Hide Magecart Skimmer on Magento Checkout Pages appeared first on Cyber Security News.