Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Magecart favicon-EXIF loader chain pushes skimmer execution into checkout runtime

Technical Analysis
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A Magecart skimmer now hides its payload in a favicon's EXIF metadata, letting the code execute in the shopper's browser at checkout and evade repository-only review. The loader chain depends on a third-party asset rather than merchant source code, shifting detection away from static scanning and toward runtime monitoring. That matters because the payload never enters the repo, so code-security tools have no direct visibility into the malicious content. The result is a browser-side exfiltration path that can steal payment data without changing the merchant application.

Related Happenings

Major web skimming campaign targeting payment networks

Campaign
First: 13.01.2026 19:30 Last: 13.01.2026 19:30 Sources 1

How related: For web supply chain threats like this Magecart campaign, continuous monitoring of what actually runs in users' browsers is the primary layer with direct visibility into the attack as it happens.

About this happening: A **long-running Magecart web-skimming campaign** has been active since **2022** and targets checkout flows tied to **American Express, Diners Club, Discover, JCB, Mastercard, and...

Open Happening

Stripe iframe skimmer campaign targeting merchants

Campaign
First: 24.09.2025 14:03 Last: 24.09.2025 14:03 Sources 1

About this happening: The **Stripe iframe skimmer campaign** used **malicious overlays** to steal card data from **dozens of merchants**, raising checkout-fraud risk across payment pages. In **August 2...

Open Happening

Payment iframe defense against malicious overlays on checkout pages

Defensive Guidance
First: 24.09.2025 14:03 Last: 24.09.2025 14:03 Sources 1

About this happening: Attackers are actively abusing **payment iframes** on **checkout pages** with **malicious overlays**, making **strict CSP** and **real-time monitoring** essential to prevent card...

Open Happening

Checkmarx Zero LITL prompt-injection analysis against Anthropic Claude Code

Technical Analysis
First: 15.09.2025 12:11 Last: 15.09.2025 12:11 Sources 1

About this happening: Researchers demonstrated **lies-in-the-loop (LITL)**, a **prompt-injection** technique that can trick **Anthropic's Claude Code** into approving dangerous actions, expanding risk...

Open Happening

Timeline

  1. 18.03.2026 13:58 2 articles · 2mo ago

    Magecart skimmer executes from favicon EXIF metadata at checkout

    Technical Analysis Update

    A Magecart skimmer uses a three-stage loader chain to hide malicious JavaScript inside a dynamically loaded third-party favicon's EXIF metadata, then executes the payload in the shopper's browser at checkout and silently POSTs stolen payment data to an attacker-controlled server. The described technique stays outside the merchant's repository and illustrates why repository-based static analysis such as Claude Code Security cannot see payloads that only appear in runtime-fetched third-party assets, while browser-side runtime monitoring can.

    Show sources
    Open in new tab