Magento Supply Chain Attack Compromises Hundreds of E-stores
Summary:
A coordinated supply chain attack has compromised between 500 and 1,000 Magento-based e-commerce websites through 21 maliciously backdoored third-party extensions, some of which were injected with malicious code as early as 2019. The attack was discovered by researchers at Sansec, who revealed that although the extensions were compromised years ago, the embedded backdoor only became active in April 2025. This delayed activation allowed the attackers to remain undetected for years before gaining full control over the affected e-commerce servers.
The compromised extensions originate from three major Magento extension vendors: Tigren, Meetanshi, and MGS. These include widely-used modules such as Tigren Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, and MultiCOD; Meetanshi ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, and DeferJS; and MGS Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, and Blog. Sansec also identified a tampered version of the Weltpixel GoogleTagManager extension, though it remains unclear whether the compromise occurred at the vendor level or during website deployment.
The malicious extensions all contain a PHP-based backdoor hidden in license validation files, typically License[.]php or LicenseApi[.]php. This backdoor listens for HTTP requests with specific parameters named requestKey and dataSign. When these match hardcoded authentication keys embedded in the code, the backdoor enables the execution of administrative functions, including the ability to upload and save a new license file to the server. The include_once() PHP function is then used to load and execute any code within the uploaded file, effectively allowing the attacker to run arbitrary PHP scripts. Earlier versions of the backdoor required no authentication at all, exposing systems to immediate compromise, while more recent versions employ hardcoded keys to restrict access to the threat actors. Sansec confirmed that in at least one case, the attackers used the backdoor to upload a webshell, granting them persistent remote access. The attack’s potential impact is severe and includes customer data theft, credit card skimming, the injection of malware such as Magecart skimmers, creation of unauthorized administrative accounts, and complete takeover of affected web servers.
Security Officer Comments:
Sansec contacted all three vendors with their findings. Meetanshi acknowledged a breach in their server infrastructure but denied that their extensions were compromised. Tigren denied any breach and continues to distribute the affected extensions. MGS did not respond to the disclosure. Independent validation by BleepingComputer confirmed the presence of the backdoor in the MGS StoreLocator extension, which remains available for public download. Confirmation for the other extensions is still pending. Sansec noted the unusual strategy of implanting the backdoor years in advance and only activating it recently, possibly as part of a long-term reconnaissance and exploitation campaign.
Suggested Corrections:
The firm strongly recommends that website administrators who have used any of the named extensions conduct a full forensic review, scan for indicators of compromise provided in the Sansec report, and, if feasible, restore their systems from a known-clean backup. Sansec is continuing its investigation and will publish further findings as more information becomes available. BleepingComputer has also reached out to the three vendors but has not yet received any responses.
Link(s):
https://www.bleepingcomputer.com/ne...hain-attack-compromises-hundreds-of-e-stores/
A coordinated supply chain attack has compromised between 500 and 1,000 Magento-based e-commerce websites through 21 maliciously backdoored third-party extensions, some of which were injected with malicious code as early as 2019. The attack was discovered by researchers at Sansec, who revealed that although the extensions were compromised years ago, the embedded backdoor only became active in April 2025. This delayed activation allowed the attackers to remain undetected for years before gaining full control over the affected e-commerce servers.
The compromised extensions originate from three major Magento extension vendors: Tigren, Meetanshi, and MGS. These include widely-used modules such as Tigren Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, and MultiCOD; Meetanshi ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, and DeferJS; and MGS Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, and Blog. Sansec also identified a tampered version of the Weltpixel GoogleTagManager extension, though it remains unclear whether the compromise occurred at the vendor level or during website deployment.
The malicious extensions all contain a PHP-based backdoor hidden in license validation files, typically License[.]php or LicenseApi[.]php. This backdoor listens for HTTP requests with specific parameters named requestKey and dataSign. When these match hardcoded authentication keys embedded in the code, the backdoor enables the execution of administrative functions, including the ability to upload and save a new license file to the server. The include_once() PHP function is then used to load and execute any code within the uploaded file, effectively allowing the attacker to run arbitrary PHP scripts. Earlier versions of the backdoor required no authentication at all, exposing systems to immediate compromise, while more recent versions employ hardcoded keys to restrict access to the threat actors. Sansec confirmed that in at least one case, the attackers used the backdoor to upload a webshell, granting them persistent remote access. The attack’s potential impact is severe and includes customer data theft, credit card skimming, the injection of malware such as Magecart skimmers, creation of unauthorized administrative accounts, and complete takeover of affected web servers.
Security Officer Comments:
Sansec contacted all three vendors with their findings. Meetanshi acknowledged a breach in their server infrastructure but denied that their extensions were compromised. Tigren denied any breach and continues to distribute the affected extensions. MGS did not respond to the disclosure. Independent validation by BleepingComputer confirmed the presence of the backdoor in the MGS StoreLocator extension, which remains available for public download. Confirmation for the other extensions is still pending. Sansec noted the unusual strategy of implanting the backdoor years in advance and only activating it recently, possibly as part of a long-term reconnaissance and exploitation campaign.
Suggested Corrections:
The firm strongly recommends that website administrators who have used any of the named extensions conduct a full forensic review, scan for indicators of compromise provided in the Sansec report, and, if feasible, restore their systems from a known-clean backup. Sansec is continuing its investigation and will publish further findings as more information becomes available. BleepingComputer has also reached out to the three vendors but has not yet received any responses.
Link(s):
https://www.bleepingcomputer.com/ne...hain-attack-compromises-hundreds-of-e-stores/