SVG Comment Payload Loader
Executable code is split across SVG comments, decoded by startup code, and executed when a developer runs the project.
How the pattern works
The repo looks like a normal app, but text-based image files hide fragments of executable code. SVG is useful to attackers because it is both an image format and plain text, so comments can carry payload fragments without changing how the asset looks in a browser.
The dangerous part is the loader. A startup file reads those SVG comments, joins or sorts the fragments, decodes them, and executes the result. The image files are not dangerous by themselves. The risk comes from code that treats asset comments as instructions.
Why it is effective
Asset folders are noisy and easy to trust. A directory full of flags, icons, or illustrations rarely gets the same review as package.json or server code.
Splitting the payload across many files also defeats quick manual review. Each fragment looks meaningless until the loader reconstructs it.
What to check
Look for code that reads from public, assets, images, or icon folders during startup. Pay special attention when that code extracts comments, decodes base64-like strings, or feeds assembled text into dynamic execution.
If the project came from someone you do not already trust, do not run it until you understand the startup path.