Researchers have discovered a relatively new way to distribute malware that relies on reading malicious obfuscated JavaScript code stored in a PNG file’s metadata to trigger iFrame injections.

Malicious SVG files on adult websites hide JavaScript that hijacks Facebook sessions, secretly liking posts, and potentially exposing victims to identity theft and credential harvesting.