Magento checkout skimmer campaign targeting nearly 100 stores
Campaign
Summary
Hide ▲
Show ▼
A Magento checkout skimmer campaign is compromising nearly 100 online stores and stealing payment data at the point of sale, putting shoppers’ card details at immediate risk. The operation uses a 1x1-pixel SVG payload to hide the malicious code and make detection harder.
Related Happenings
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
Vulnerability
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
VulnerabilityAbout this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Adobe Reader zero-day exploited via malicious PDFs security flaw
Vulnerability
First: 09.04.2026 12:22
Last: 09.04.2026 12:22
Sources 1
About this happening:
**Adobe Reader** is facing an **actively exploited zero-day** delivered through **malicious PDF documents** and observed since at least **December**. The flaw works on the **lates...
Adobe Reader zero-day exploited via malicious PDFs security flaw
VulnerabilityAbout this happening: **Adobe Reader** is facing an **actively exploited zero-day** delivered through **malicious PDF documents** and observed since at least **December**. The flaw works on the **lates...
Latest development: 13.04.2026 18:37
Adobe released an emergency security update for Acrobat Reader to fix CVE-2026-34621 after zero-day exploitation in malicious PDF files. The bulletin says Acrobat DC versions 26.001.21367 and earlier, Acrobat Reader DC versions 26.001.21367 and earlier, and Acrobat 2024 versions 24.001.30356 and earlier are affected, and Adobe recommends updating through Help > Check for Updates or the official installer.
WebRTC payment skimmer
Malware Activity
First: 26.03.2026 08:53
Last: 26.03.2026 08:53
Sources 1
About this happening:
A **new payment skimmer** has been identified using **WebRTC data channels** to load payloads and steal payment data from **e-commerce sites**, bypassing common security controls....
WebRTC payment skimmer
Malware ActivityAbout this happening: A **new payment skimmer** has been identified using **WebRTC data channels** to load payloads and steal payment data from **e-commerce sites**, bypassing common security controls....
Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation
Exploitation Wave
First: 25.03.2026 23:40
Last: 25.03.2026 23:40
Sources 1
How related:
Sansec warned that more than half of all vulnerable stores were targeted in PolyShell attacks, which in some cases deployed payment card skimmers using WebRTC for stealthy data exfiltration.
About this happening:
**PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...
Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation
Exploitation WaveHow related: Sansec warned that more than half of all vulnerable stores were targeted in PolyShell attacks, which in some cases deployed payment card skimmers using WebRTC for stealthy data exfiltration.
About this happening: **PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...
Latest development: 09.04.2026 01:34
Sansec reported a new campaign against nearly 100 Magento online stores in which attackers hide a credit card skimmer inside a 1x1-pixel SVG element with an onload handler, display a fake Secure Checkout overlay on checkout, validate submitted card data with Luhn, and exfiltrate payment details to attacker infrastructure; the researchers also identified six exfiltration domains hosted by IncogNet LLC (AS40663).
Magento Open Source and Adobe Commerce PolyShell unauthenticated RCE flaw
Vulnerability
First: 19.03.2026 22:01
Last: 19.03.2026 22:01
Sources 1
How related:
PolyShell impacts all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover.
About this happening:
**PolyShell** is a **Magento Open Source** and **Adobe Commerce** vulnerability that can enable **unauthenticated code execution** and **account takeover** across **stable version...
Magento Open Source and Adobe Commerce PolyShell unauthenticated RCE flaw
VulnerabilityHow related: PolyShell impacts all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover.
About this happening: **PolyShell** is a **Magento Open Source** and **Adobe Commerce** vulnerability that can enable **unauthenticated code execution** and **account takeover** across **stable version...
Timeline
-
09.04.2026 01:34 2 articles · 1mo ago
Sansec identifies Magento checkout skimmer campaign
Initial DisclosureSansec identifies a campaign targeting nearly 100 Magento online stores in which checkout users are shown a fake Secure Checkout overlay while a 1x1-pixel SVG onload handler hides a card skimmer; the payload validates card data with Luhn, exfiltrates payment details in XOR-encrypted base64-obfuscated JSON, appears to leverage PolyShell access, and uses six exfiltration domains hosted by IncogNet LLC in the Netherlands.
Show sources
- Hackers use pixel-large SVG trick to hide credit card stealer — www.bleepingcomputer.com — 09.04.2026 01:34
- Hackers use pixel-large SVG trick to hide credit card stealer — www.bleepingcomputer.com — 09.04.2026 01:34