A recently observed Magecart web skimming campaign demonstrates how modern attackers can steal payment card data without ever modifying the target application’s source code. The malicious JavaScript payload is hidden inside the EXIF metadata of a dynamically loaded favicon and executed entirely in the shopper’s browser at checkout, rendering traditional repository and static code scanners ineffective.
How the new Magecart favicon EXIF attack works
On compromised e-commerce sites, researchers identified a short loader script embedded in the page. At first glance, it looks like a harmless reference to a trusted third-party resource, such as a script from a legitimate CDN or commerce platform. This visual similarity significantly reduces the chance of detection during manual review or basic security checks.
The loader retrieves an external script which then uses obfuscated array indices and string operations to construct the actual malicious URL. Once decoded, this URL points to a resource such as //b4dfa5[.]xyz/favicon.ico. From this point, the core technique begins: the script requests the favicon as a binary object, parses its EXIF metadata, extracts a concealed JavaScript string, and executes it via new Function().
As a result, the malicious payload lives entirely inside image metadata and never appears as readable JavaScript in the application’s repository or HTML templates. Security tools that do not observe real code execution in the browser have no direct visibility into this stage.
In the final step, the skimmer silently exfiltrates stolen payment card and checkout data via HTTP POST requests to attacker-controlled infrastructure. The attack chain has four notable properties: the initial loader masquerades as a legitimate third-party script; the payload is stored in favicon EXIF metadata; exfiltration occurs directly from the shopper’s browser; and the merchant’s own application code is not modified.
Why static code analysis cannot see this Magecart technique
Static application security testing (SAST) and repository scanners work on what is present in the codebase: application source code, configuration files, and infrastructure manifests. They are highly effective at identifying vulnerabilities introduced by the development team itself, such as XSS, SQL injection, insecure data handling, and broken access control.
Magecart attacks, however, are a form of web supply chain threat. Malicious JavaScript is delivered via compromised third-party components: payment widgets, tag managers, analytics pixels, CDN-hosted scripts, and dynamically loaded images. This code often never enters the organization’s Git repository and never passes through code review. From the perspective of a repository scanner, it simply does not exist.
Consequently, static analysis cannot interpret a payload embedded in a binary favicon, cannot see domains that appear only during a live browser session, and cannot detect suspicious client-side network requests. This is not a product failure but a mismatch between tool scope and threat model, a point frequently emphasized in guidance from organizations such as OWASP and ENISA.
Static analysis remains an essential security layer. It can still flag risky patterns in first-party code that make skimming easier, such as dynamic insertion of third-party scripts, overuse of eval or new Function, or hard-coded endpoints for sending sensitive data. In other words, SAST reduces the attack surface but cannot replace monitoring of what actually runs inside the user’s browser.
Web supply chain attacks beyond favicon and EXIF tricks
Invisible iframes overlaying payment forms
A classic Magecart-style technique involves overlaying legitimate payment forms with invisible iframes. A compromised third-party widget renders a transparent layer on top of the card input fields and captures every keystroke, forwarding the data to an attacker. From the merchant’s point of view, the HTML layout and first-party code remain unchanged, and no malicious code appears in the repository.
Abusing analytics pixels and tracking scripts
Most e-commerce sites rely on analytics and retargeting pixels loaded from external CDNs. If the vendor or its infrastructure is compromised, the same pixel URL can become a covert exfiltration channel. For the application, it is still the “legitimate” third-party endpoint that has been in use for years; the malicious logic now resides on the provider’s side.
DOM-based theft via tag managers and event handlers
Another widespread vector involves scripts deployed through tag managers. These scripts subscribe to DOM events on login or payment fields and collect credentials or card data before the form is submitted. All logic is implemented as dynamically attached event handlers, activated at runtime in the browser, and therefore remains outside the view of static code scanners.
Modern attackers increasingly enhance these methods with AI-generated polymorphic JavaScript, frequently reshaping code structure to evade signature-based detection and simple pattern matching. This trend further underlines the need to monitor real runtime behavior rather than relying solely on static representations of code.
Client-side runtime monitoring and defense-in-depth for Magecart
For threats such as Magecart and browser-based web skimming, client-side runtime monitoring becomes a critical control. These platforms track which scripts actually execute in user sessions, what DOM changes they perform, and where sensitive data is being sent. In practice, they answer questions such as: “What code is running in my customers’ browsers right now?” and “Is any script attempting to send payment data to an untrusted domain?”
Industry best practices recommend a defense-in-depth approach for web supply chain security. Static code analysis and dependency management help prevent vulnerabilities in first-party code. Policies such as Content Security Policy (CSP), Subresource Integrity (SRI), and strict allowlists of trusted third-party domains constrain what external resources can do. Client-side runtime monitoring then detects attacks that exist solely in the browser and never touch the source repository.
Expecting a repository scanner to detect a Magecart skimmer hidden in favicon EXIF metadata is equivalent to expecting a smoke detector to extinguish a fire: they serve different purposes. Robust protection for modern e-commerce applications requires combining static analysis, strict web supply chain governance, and continuous client-side runtime monitoring. Organizations that invest in this layered strategy significantly reduce the risk of undetected theft of payment card data and gain much-needed visibility into where sensitive information actually flows in the browser.
