It it possible to hide executable javascript inside valid images. Those images are recognized as image files by software so they can be uploaded e.g. to image hosters. But at the same time then can run javascript so you can load javascript from a domain nobody would exptect.