Re: Another Idiot question
There is nothing magic or new going on with this technique. In a nutshell...
Malicious code is disguised as pixels or meta data in a PNG file, so that when a server admin runs a checkup they don't spot the code. All they see is a list of PNGs, and a list of Javascript files that load PNGs. Everything looks normal, and the malware didn't get detected.
So how does it do harm?
The Javascript that loads the PNGs also has a little loop in it to unpick the hidden code from the PNG's pixels or meta data. The new code (more Javascript) is injected into the page and run, having all the permissions that any other Javascript does on that page. Now it can do malicious things - highjack ad links or something.
How did it get on the server?
Someone hacked a server and uploaded the Javascript covertly, they also presumably modified an HTML page to link to it. The PNGs can be on anyones server - like Flickrs - since there is nothing intrinsically harmful about them by themselves.