Persistent Skimmer Attack on Magento 2.4.6: Unmasking Hidden Threats in core_config_data

Persistent Skimmer Attack on Magento 2.4.6: Unmasking Hidden Threats in core_config_data

E-commerce security remains a paramount concern for merchants, especially on platforms like Magento, which are frequent targets for sophisticated attacks. A recent GitHub issue (#40466) sheds light on a critical and persistent skimmer injection targeting a Magento 2.4.6 Community Edition store, highlighting a significant security hardening gap.

The Alarming Discovery

The issue author, Arsalanulhaq, reported a disturbing incident: an unknown credit card payment method mysteriously appeared on their production Magento 2.4.6 checkout. Further investigation revealed a large, obfuscated JavaScript script being printed in the footer on all pages. This wasn't just a one-off event; the attacker was continuously re-injecting the malicious payload every 2-3 days, forcing the merchant into a constant battle of removal.

Deep Dive into the Attack Vector

The core of the compromise lay within Magento's database, specifically the core_config_data table. The attacker had injected the malicious script into the design/footer/absolute_footer path for all store views. This path is intended for legitimate theme customizations but, in this case, became a conduit for a sophisticated skimmer.

The injected script was heavily obfuscated, designed to evade detection. Here's a snippet of the observed payload:

This JavaScript dynamically decodes and executes a second-stage payload at runtime, which was found to implement typical skimming behavior: capturing checkout and payment data, then exfiltrating it to an external source. The author noted that they had no custom modifications to core_config_data write logic and did not manually add any such script, strongly suggesting an underlying vulnerability.

The Unanswered Question: Root Cause

While the impact was clear (S0 severity – affecting critical data and functionality), the exact root cause remained elusive within the issue report. The possibilities include:

• An underlying vulnerability in Magento core.
• A compromised third-party extension (the store had numerous extensions installed, including several from Amasty, Mageplaza, Mirasvit, etc.).
• A compromised admin account or server-level breach that allowed arbitrary writes to core_config_data.

The author emphasized the need for Magento to provide stronger hardening, logging, and restrictions around HTML/JS in globally rendered config values, or at least clearer best-practice guidance for detection and response.

Community Insights and Immediate Actions

The most crucial advice came from community member ljr95, who immediately pointed out that Magento 2.4.6 has 13 security patches available. The recommendation was to upgrade to Magento 2.4.6-p13 as a first, critical step. This highlights a common vulnerability point: out-of-date security patches. Furthermore, the end-of-life for Magento 2.4.6 is approaching quickly (August 11, 2026), urging merchants to plan for further upgrades.

For any Magento merchant, this issue serves as a stark reminder:

• Keep Magento Updated: Regularly apply all security patches and consider upgrading to the latest stable version to benefit from ongoing security enhancements.
• Monitor core_config_data: Implement monitoring for unexpected changes in critical configuration paths like design/footer/absolute_footer or design/head/includes.
• Audit Extensions: Regularly review and audit all installed extensions, ensuring they are from reputable sources and kept up-to-date. Disable or remove any unused extensions.
• Implement WAF & Security Scans: Utilize Web Application Firewalls (WAFs) and conduct regular security scans to detect anomalies and potential injection attempts.
• Strong Admin Security: Enforce strong, unique passwords, two-factor authentication (2FA), and restrict admin access to trusted IPs.

While the full resolution of the root cause for this specific attack is still pending, the community's swift advice on security patches is an actionable takeaway for all Magento users. Proactive security measures are not optional but essential in safeguarding e-commerce operations against persistent and evolving threats.