Researchers have discovered a relatively new way to distribute malware that relies on reading malicious obfuscated JavaScript code stored in a PNG file’s metadata to trigger iFrame injections.

However, instead of finding images of a dog or a fire hydrant, the visitors are asked to press a specific keyboard shortcut, which copies a malicious piece of JavaScript code into the clipboard.

The image, which is displayed to the right of this text, looked unremarkable. Using some clever HTML5 programming under the hood, however, it delivered malicious code to unsuspecting Mac users.