The malicious code is hidden within a CDATA section of the SVG file and relies on a static XOR key to decrypt a payload at ...

Researchers have discovered a relatively new way to distribute malware that relies on reading malicious obfuscated JavaScript code stored in a PNG file’s metadata to trigger iFrame injections.

The authors turned to polyglot images to add the JavaScript code that redirects to a page offering a fake reward. The malicious code is hidden in a BMP type of picture and it is heavily obfuscated.

The image probably isn't loaded by that time. I mean, it's probably a couple milliseconds, if that, between when you assign that src and when you ask for the width and height.