Pixel‑Sized SVG Skimmer Campaign Exploits Magento PolyShell Vulnerability to Steal Credit Cards from ~100 Online Stores

Pixel‑Sized SVG Skimmer Campaign Exploits Magento PolyShell Vulnerability to Steal Credit Cards from ~100 Online Stores

What Happened — A coordinated campaign injected a 1×1‑pixel SVG element with an onload handler into the checkout pages of nearly 100 Magento‑based e‑commerce sites. The inline payload, base64‑encoded and executed via atob(), displayed a fake “Secure Checkout” overlay that captured card numbers, expiration dates and CVV, then exfiltrated the data in an XOR‑encrypted JSON blob.

Why It Matters for TPRM —

• Attack bypasses traditional script‑blocking scanners by living entirely inside an SVG tag.
• Stolen payment data can trigger PCI‑DSS non‑compliance, fines, and brand damage for merchants and their payment processors.
• The underlying PolyShell vulnerability (CVE‑2025‑XXXX) remains unpatched in production Magento releases, exposing a large supply‑chain surface.

Who Is Affected — Retail & e‑commerce merchants running Magento Open Source or Adobe Commerce (stable 2.x).

Recommended Actions —

• Scan for hidden SVG tags with onload attributes and remove malicious code.
• Verify the presence of the _mgx_cv key in browser localStorage as an indicator of compromise.
• Block outbound requests to the identified exfiltration domains and IP 23.137.249.67.
• Apply all available Magento mitigations and upgrade to the latest pre‑release (2.4.9‑alpha3+) that patches PolyShell.

Technical Notes — The campaign leverages the unauthenticated code‑execution flaw in PolyShell (CVE‑2025‑XXXX) to inject the SVG skimmer. Payment data is validated locally with the Luhn algorithm, then exfiltrated via an XOR‑encrypted, base64‑obfuscated JSON payload to six domains hosted by IncogNet LLC (AS40663). Source: BleepingComputer