Nearly 100 online stores are impacted by a new campaign that hides credit card-stealing code in a 1x1 pixel SVG image. When a user clicks the checkout button, a convincing overlay appears, designed to steal card details and billing information. ### PolyShell Vulnerability Exploitation The campaign was discovered by **Sansec**, an eCommerce security company. Their researchers believe that the attackers likely gained initial access by exploiting the **PolyShell** vulnerability, a Remote Code Execution (RCE) flaw disclosed in mid-March.  **PolyShell** impacts all **Magento Open Source** and **Adobe Commerce** stable version 2 installations, allowing unauthenticated code execution and complete account takeover. Sansec previously warned that over half of vulnerable stores had been targeted by **PolyShell** attacks. Some attacks even deployed payment card skimmers using WebRTC for stealthy data exfiltration. ### SVG Onload Handler for Malware Injection In this latest campaign, the malware is injected as a 1x1-pixel SVG element with an ‘onload’ handler directly into the target website’s HTML. Sansec explains that the `onload` handler contains the entire skimmer payload, base64-encoded inside an `atob()` call and executed via `setTimeout`. This technique avoids external script references that security scanners typically flag, making detection more difficult. ### Fake Checkout Overlay When unsuspecting buyers click the checkout button on a compromised store, a malicious script intercepts the action and displays a fake “Secure Checkout” overlay. This overlay includes card detail fields and a billing form, designed to harvest sensitive payment information. Payment data submitted on this fraudulent page is validated in real-time using the Luhn algorithm. The stolen data is then exfiltrated to the attacker in an XOR-encrypted, base64-obfuscated JSON format.  *Source: Sansec* Sansec identified six exfiltration domains, all hosted at **IncogNet LLC** (AS40663) in the Netherlands. Each domain is receiving data from 10 to 15 confirmed victims. ### Mitigation Strategies To protect against this ongoing campaign, Sansec recommends the following actions: * Look for hidden SVG tags with an `onload` attribute using `atob()` and remove them from your site files. * Check if the `_mgx_cv` key exists in browser `localStorage`, as this indicates potential payment data theft. * Monitor and block requests to `/fb_metrics.php` or any unfamiliar analytics-like domains. * Block all traffic to the IP address `23.137.249.67` and associated domains. ### Adobe's Response and Recommendations As of writing, **Adobe** has not released a security update to address the **PolyShell** flaw in production versions of **Magento**. A fix is only available in the pre-release version 2.4.9-alpha3+. **Adobe** has not responded to requests for comment on this issue. Website owners and administrators are strongly advised to apply all available mitigations and, if possible, upgrade **Magento** to the latest beta release. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.