Hackers hide a Magecart skimmer in SVG code on 99 Magento stores

A new Magecart campaign has compromised 99 Magento stores by hiding the skimmer inside a tiny inline SVG element on checkout pages. Sansec says the attackers used a 1×1 pixel SVG with a malicious onload handler, which let them execute the payload without loading an external script that many scanners would normally catch.

The attack targets shoppers at the moment they try to pay. According to Sansec, the injected code intercepts clicks on checkout buttons, shows a fake full-screen payment window, steals card details, and then sends the shopper back to the real checkout flow so the theft stays hidden.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Sansec believes the infections likely tie back to the ongoing PolyShell problem affecting Magento and Adobe Commerce environments. The firm disclosed PolyShell in March and said it allows unrestricted file uploads through the REST API, with active attacks already hitting a large share of stores.

How the SVG trick hides the skimmer

What makes this campaign stand out is how little visible infrastructure it needs. Sansec says the entire payload sits inside the SVG element’s onload attribute, where it is decoded with atob() and then executed with setTimeout(), avoiding the external JavaScript references that defenders often hunt for first.

Once active, the malware uses a capture-phase click listener so it can act before the legitimate checkout code responds. That allows the skimmer to insert a convincing payment overlay with a lock icon and validation behavior that looks normal to the shopper.

After a victim submits payment data, the script encrypts the stolen information with an XOR routine that uses the key script, then encodes the result with Base64 before sending it away. Sansec says the data leaves through /fb_metrics.php, a name chosen to resemble ordinary analytics traffic.

Why Magento stores should worry

This is not just another simple card skimmer. Because the code runs inline and only springs into action at checkout, it can stay harder to spot during casual inspection and can blend in with a live store until someone reviews the page source closely. That is an inference based on Sansec’s technical breakdown of the inline SVG delivery method and the fake overlay behavior.

Sansec also says all six exfiltration domains used in this cluster resolve to the same Netherlands-based IP address, 23.137.249.67. The report names domains including statistics-for-you.com and morningflexpleasure.com as part of the infrastructure.

The broader context makes the threat more urgent. Sansec reported a mass PolyShell attack wave on March 30 that hit 471 stores in a single hour, which suggests attackers already have a scalable path to plant malicious code across many Magento environments quickly.

Indicators of compromise

What admins should do now

• Inspect checkout page source for inline <svg> elements with encoded onload payloads.
• Check browser storage for the _mgx_cv key, which the attackers use to avoid stealing from the same victim twice.
• Review logs for fetch() POST requests in no-cors mode and suspicious iframe-based fallback traffic.
• Hunt for any outbound connections to the listed skimmer domains or the IP address 23.137.249.67.
• Patch and harden Magento or Adobe Commerce systems as far as current vendor guidance allows, because Sansec says PolyShell remains active in the wild.

FAQ