In early April 2026, a Magecart campaign used a tiny, deliberate evasion technique—embedding a base64 JavaScript skimmer in a 1×1 pixel SVG’s onload attribute—to harvest card data from nearly 100 Magento stores while exploiting the PolyShell vulnerability; official Adobe fixes remain in pre-release.

What unfolded in early April and why the SVG matters

Recommended Reading

Infiniti Stealer is not a macOS exploit — it weaponizes ClickFix social engineering and Nuitka-compiled Python to bypass defenses

Infiniti Stealer is a recently documented macOS infostealer that relies on a fake CAPTCHA (the ClickFix technique) and a Nuitka-compiled Python payload to evade detection — it succeeds because it manipulates users, not by exploiting a software vulnerability. How the attack actually reaches a user In observed samples the initial lure is a Cloudflare-style CAPTCHA […]

Infiniti Stealer is not a macOS exploit — it weaponizes ClickFix social engineering and Nuitka-compiled Python to bypass defenses

Security teams began logging compromises in the first week of April 2026: attackers injected skimmer code that executed inline from 1×1 SVG tags (no external script reference), triggered via the SVG onload attribute and executed with a setTimeout wrapper. The campaign affected Magento Open Source and Adobe Commerce 2.x sites that were vulnerable to PolyShell, and researchers observed about 100 confirmed store compromises before mitigations were widely applied.

The choice of an SVG container is tactical, not cosmetic: unlike prior Magecart payloads hidden in handlers in 2025, the SVG method avoids typical script scanners that flag external script includes or suspicious