SVG Magecart Skimmer – Hackers Targeted 99 Magento Stores

A new wave of cyberattacks has raised serious concerns for eCommerce security. 

On April 7, 2026, researchers at Sansec uncovered a large-scale campaign that compromised 99 Magento stores and put customer payment data at risk during checkout.

Let’s get an in-depth idea about it.

What is the SVG Onload Magecart Skimmer?

The SVG Onload Magecart Skimmer is a clever cyberattack discovered by Sansec that affected 99 Magento stores. In this attack, hackers hide malicious code inside tiny, invisible SVG images (as small as 1×1 pixels). When the image loads, the hidden code runs automatically without being detected by normal security tools. 

It then shows a fake checkout page that looks real, tricking customers into entering their payment details. This sensitive information is secretly captured, encrypted, and sent to hacker-controlled websites that appear like normal analytics services.

Characteristics of the SVG Onload Attack

The SVG Onload attack is unique because it is very precise and can easily look like normal website activity. According to Sansec, the following features define this attack:

  • The malware is placed inside a very small SVG image, making it almost impossible to see
  • It uses the image’s onload feature to run as soon as the page loads
  • The code is encoded (Base64), so security tools can’t easily detect it
  • It intercepts clicks and stops the real checkout from loading
  • Displays a realistic fake payment form to trick users
  • The captured information is encrypted before being sent
  • Data is sent to fake domains that appear like regular analytics services
  • It marks the user’s browser, so the attack doesn’t repeat, making it difficult to detect

Why Attackers Are Using SVG-Based Skimmers

Cybercriminals are shifting to SVG elements because they provide a stealthy way to hide and run malicious code inside tiny, invisible image files. The following are more reasons:

Bypassing Security Scanners

Most security tools check for suspicious scripts or external JavaScript files. But since these skimmers are hidden inside an image’s onload feature, they often go unnoticed because scanners don’t usually check images for hidden code.

Automatic Execution

Unlike standard images, SVGs support event handlers. As soon as the browser renders the invisible image, the onload tag triggers the malware. This ensures the skimmer runs instantly without any user interaction or clicks required.

Advanced Obfuscation

Attackers use Base64 encoding and XOR encryption to hide the malicious payload. They also disguise the stolen data as harmless analytics traffic, sending it to domains that mimic legitimate services like Facebook metrics to avoid triggering network firewalls.

Stealth and Persistence

These skimmers often check a browser’s local storage for a specific marker to ensure they only target a user once. This makes the infection extremely difficult for developers to replicate and troubleshoot, as the malware will not reappear on the same device.

Convincing Deception

The skimmer generates a high-quality fake checkout modal that mirrors the look of the actual store. By including real-time card validation, it tricks shoppers into providing their details before silently redirecting them to the real checkout page to finish the transaction.

How the SVG Magecart Attack Works?

It works by hiding malicious code inside a tiny, invisible (1×1 pixel) SVG image on a website. The code is encoded and placed in the image’s onload feature, so it runs automatically when the page loads. Since everything is inside the image and not an external script, it is harder for security tools to detect.

Once active, the malware can interrupt the checkout process and show a fake payment form that looks real. When users enter their details, the data is captured, encrypted, and sent to attackers. To stay hidden, the script marks the user’s browser so the fake form doesn’t appear again, making the attack difficult to detect.

Impact on Magento and eCommerce Stores

The SVG Magecart attack has serious implications for merchants, ranging from immediate data theft to long-term legal and financial damage.

  • Widespread merchant compromise –  Researchers found that 99 Magento stores were infected in a single attack. By using automated tools and vulnerabilities like Magento PolyShell, attackers can hack many websites at once, turning one weakness into a large-scale breach.
  • Loss of Customer Trust – In this attack, customers enter their details in a fake form before being taken to the real one, which can make them feel suspicious. If the breach becomes known, it can damage trust and lead to a long-term drop in sales.
  • Legal and financial penalties – Store owners are legally responsible for protecting customer data. If a breach happens, it can lead to serious consequences like PCI DSS audits (and even losing the ability to process payments), heavy fines under laws like GDPR or CCPA, and expensive lawsuits from affected customers.
  • Detection and Fixing Challenges – These skimmers are hard to detect because they hide inside image data and run only once. Most security tools miss them, making store owners think their site is safe when it’s actually still compromised.
  • High-Value Targeting – Magento stores are often targeted because they handle a large number of transactions. Since orders are usually higher in value, hackers can make more money from each stolen card.

How Magento Stores Can Protect Against This Threat?

Protecting your store from skimmers requires both prevention and regular checks. Following Magento 2 security best practices is a great starting point. Here are five simple tips to keep your eCommerce store secure:

  • Use real-time security tools to block attacks as they happen
  • Regularly scan your store for malware and vulnerabilities
  • Check your website code for suspicious SVG tags with onload and atob()
  • Ask affected users to clear browser data if a breach is suspected
  • Keep Magento and all extensions updated to avoid security gaps

And that’s it. SVG Magecart skimmers show how cyberattacks are becoming more hidden and harder to detect. Staying proactive with security measures and regular monitoring is key to protecting your store and customer data.

Talk to our experts

Contact our expert team to get started with leveraging the performance of your online store.

Contact Us Now
Meetanshi Contact Us
Sanjay Jethva

Article by

Sanjay Jethva

Sanjay is the co-founder and CTO of Meetanshi with hands-on expertise with Magento since 2011. He specializes in complex development, integrations, extensions, and customizations. Sanjay is one the top 50 contributor to the Magento community and is recognized by Adobe. His passion for Magento 2 and Shopify solutions has made him a trusted source for...