Hundreds of e-commerce sites were backdoored through a supply-chain attack that quietly deployed malicious code on visitors’ devices, posing a serious risk to customer payment data and other sensitive information. The breach, which began in April and appears ongoing, targets software that powers online stores. Security researchers say more than 500 sites relying on compromised software were infected, and the total could be twice as high. The attack underscores how dormant threats can mature into active breaches after years of dormancy.
The scope and timeline of the attack
The recent wave of compromises centers on a supply-chain attack that infiltrated at least three software providers whose products are used by thousands of online merchants. The attackers embedded malicious code in backdoors within these providers’ software, a form of breach that surfaces on the customer side only after the code is activated. The infections have impacted hundreds of e-commerce sites, with a conservative count placing the number at more than 500. Industry researchers caution that the real figure may be substantially higher, given the widespread use of the affected software across numerous retail platforms.
A crucial facet of the story is the magnitude of the customer base affected. Among the compromised clients is a multinational corporation valued at about $40 billion, though the firm was not publicly identified by Sansec, the security firm investigating the incident. In communications to partners and customers, Sansec indicated that remediation across the infected customers remains limited at this stage, highlighting the difficulty of stamping out a backdoor that is deeply integrated into software ecosystems used by thousands of merchants.
The attack’s roots lie in a multi-vendor compromise affecting three software providers—Tigren, Magesolution (often abbreviated MGS), and Meetanshi. All three supply software that is built on Magento, an open-source e-commerce platform used by a vast number of online retailers. A fourth provider, Weltpixel, has a version of its software that has shown signs of similar backdoored behavior in some customer deployments, though Sansec had not yet confirmed whether those stores or Weltpixel themselves were compromised. Adobe has owned Magento since 2018, a detail that underscores the potential breadth of impact given Magento’s prominence in the e-commerce landscape.
The malware’s sustained dormancy complicates detection. Sansec described the backdoor as capable of remaining hidden for years before activating in the most recent weeks. Delayed backdoors—malware that sits quietly for extended periods before triggering—are relatively rare, which is why researchers are pursuing a deeper understanding of how this particular threat managed to lie in wait for six years before being noticed. Sansec’s ongoing investigation aims to determine whether similar dormant components exist elsewhere in the ecosystem and to map the full extent of the compromise.
In their assessment, Sansec researchers stressed that the primary risk is to the tens or hundreds of thousands of visitors who interact with infected sites. The attack’s architecture enables attackers to execute code of their choosing on the e-commerce servers, creating a pathway to subsequent actions that endanger visitors’ devices and data. The backdoor’s core capability—uploading and executing arbitrary PHP code—provides attackers with full remote control of the server environment, opening doors to data exfiltration, credential theft, and further distribution of malicious content.
The broader Magento ecosystem has long been a focal point for discussions about secure software supply chains. In this case, the attackers leveraged backdoors to plant extensions that, in turn, loaded additional malicious functionality into the user’s browser. Magecart-like activity—skimming payment data as it flows through a customer’s browser—has become a common hallmark of such intrusions, and it appears to be a central objective of the breaches identified by Sansec in this campaign.
How the attack operates: backdoors, RCE, and browser skimming
At the core of the breach is a backdoor mechanism that gives attackers remote access and control over the infected servers. Because the backdoor permits uploading and executing arbitrary PHP code, attackers can achieve full remote code execution (RCE) on the compromised servers. This level of access allows them to conduct whatever operations they choose, limited only by the attacker’s objectives and the constraints of the compromised environments.
A key consequence of this RCE capability is the deployment of skimming software that runs in the user’s web browser. In many Magento-related breaches, the backdoor is used to inject code that operates within the visitor’s browser, capturing payment card details and other sensitive information as customers interact with the storefront. This dual-stage approach—gaining control of the server and then injecting browser-side skimming logic—expands the potential for data theft while remaining difficult to detect from a server-only perspective.
The backdoor’s operation includes a mechanism for conditional activation. It checks for a secret key in incoming web requests and, upon successful validation, grants the operator the ability to run commands on the e-commerce server. Once the initial license-loading component runs, a cascade of additional functions is triggered, ultimately executing malicious PHP code on the machines used by site visitors. This orchestrated sequence enables criminals to persistently harvest data and maintain a foothold in affected stores.
Sansec’s analysis highlights that the backdoor code includes a function designed to load a license file, which is leveraged as part of the broader intrusion workflow. The presence of such a function—adminLoadLicense($licenseFile)—illustrates how attackers exploit legitimate-looking code paths to conceal malicious activity. While the specific code details are technical, the essential takeaway is that attackers used ordinary software development patterns to mask their operations, thereby evading casual detection.
In practical terms, infected stores may not display obvious symptoms to their operators at first. The backdoor’s design purposefully hides its activity, enabling attackers to remain undetected while the malware waits for a trigger to activate. Once the trigger occurs, the backdoor can prompt the loading of additional components that facilitate data exfiltration or further host-side manipulation. This stealthy approach explains why the attack remained dormant for so long and only recently surfaced as vendors and researchers intensified their reviews of the supply chain.
Researchers have cataloged 21 infected extensions across the three identified vendors. The following sections break down the scope by vendor and highlight the specific extensions implicated in the breaches. By enumerating the affected components, Sansec and other researchers aim to provide merchants with a precise map of which parts of their ecosystems may be compromised and require remediation.
Vendors involved and the 21 infected extensions
The attack’s backbone rests on three Magento-based extension providers whose products were found to be backdoored. The three identified suppliers are Tigren, Magesolution (MGS), and Meetanshi. A fourth provider, Weltpixel, has products that showed signs of compromised code on some installations, but investigators had not yet established a definitive link to those particular stores or to Weltpixel’s distribution chain as of the latest disclosures. Magento, the e-commerce platform at the heart of the distribution, has been under the umbrella of Adobe since 2018, reinforcing the platform’s widespread reach and the potential scale of impact when its ecosystem is targeted.
From Sansec’s findings, the following extensions have been confirmed as infected across the three principal vendors:
-
Tigren
- Ajaxsuite
- Ajaxcart
- Ajaxlogin
- Ajaxcompare
- Ajaxwishlist
- MultiCOD
-
Meetanshi
- ImageClean
- CookieNotice
- Flatshipping
- FacebookChat
- CurrencySwitcher
- DeferJS
-
Magesolution (MGS)
- Lookbook
- StoreLocator
- Brand
- GDPR
- Portfolio
- Popup
- DeliveryTime
- ProductTabs
- Blog
In addition to these confirmed extensions, there were indications that other components supplied by the same vendors might also be involved, although the scope of confirmation varied by vendor and storefront. The investigation into Weltpixel’s catalog suggested similar risk, but definitive attribution to Weltpixel’s products in infected customer environments had not been established at the time of the latest updates.
The backdoor’s persistence and the breadth of affected extensions imply that a sizable portion of Magento-based storefronts relying on these vendors could be targeted. The use of backdoored extensions to seed or deliver additional malicious modules—often designed to operate in tandem with the browser-side skimming code—illustrates how attackers layered multiple techniques to maximize impact across a wide range of victims.
The researchers’ ongoing work includes cross-referencing infected deployments with vendor release histories to determine whether compromised versions were distributed through standard update channels or were introduced via supply-chain compromises at the vendor level. The goal is to help merchants identify whether their installations were supplied with tainted code and to establish a prioritized remediation path for affected components.
Magento ecosystem and Magecart context
The Magento ecosystem’s vulnerability profile in the wake of this attack underscores several well-known realities about modern e-commerce software:
- The reliance on third-party extensions creates a multiplicity of potential attack surfaces. Even trusted vendors can inadvertently distribute compromised code, underscoring the necessity for rigorous supply-chain security practices.
- Backdoors that remain dormant for extended periods pose particular challenges for detection. As in this case, a backdoor that only activates after a long interval can evade routine security monitoring and window-based threat hunting.
- The combination of server-side backdoors with client-side data skimming—often labeled Magecart activity—amplifies the data-exfiltration potential. Browser-based skimming can bypass certain server-side integrity checks and complicate post-incident investigations.
The fact that Adobe has owned Magento since 2018 adds another layer of complexity to attribution and remediation in the Magento ecosystem. While Adobe’s stewardship does not guarantee immunity from supply-chain compromises, it does shape how vendors, security researchers, and merchants approach patching, governance, and ongoing monitoring of extensions and core software. The interplay between backdoors in extensions and browser-based data theft remains a central theme in evaluating risk and prioritizing remediation.
In the broader security community, the incident resonates with ongoing concerns about how modern online commerce platforms—built from modular components sourced from multiple providers—can become a single point of failure. The omnipresent push to accelerate digital commerce must be balanced with robust validation, continuous monitoring, and swift incident-response mechanisms to mitigate supply-chain risks when they arise.
Victim profile and remediation status
Among the victims cited by Sansec is a multinational corporation valued at roughly $40 billion. The company’s identity was not disclosed in the public disclosures at the time, in line with standard privacy practices that protect client confidentiality during ongoing investigations. Sansec indicated that remediation across affected enterprises remained limited as of the latest communications, signaling the complexity of fully eliminating the backdoor while maintaining normal business operations. The nature of such remediation often involves isolating compromised software, updating or replacing backdoored extensions, and conducting comprehensive integrity checks on storefronts to ensure no latent footholds remain.
The broader implication for merchants is the need for a disciplined, multi-layered incident-response approach. Remediation typically includes identifying infected extensions, removing compromised code paths, validating all third-party packages against trusted sources, and revalidating payment processes to ensure no skimming occurs post-remediation. Merchants must also consider additional steps such as credential rotation for administrators and API users, enhanced monitoring of payment-related events, and strengthening input validation and file integrity checks across their environments.
Sansec’s ongoing work includes helping store operators determine if their installations contain the specific indicators of compromise described in their advisory. One practical detection signal involves looking for the function that loads a license file, specifically a pattern where a backdoor invokes licensing logic to trigger a chain of events culminating in the execution of malicious PHP code on visitor devices. While this description is technically nuanced, understanding the general flow helps site operators tailor their scans and remediation plans to the most relevant risk indicators.
In addition to component-level remediation, the incident has implications for the management of the Magento marketplace ecosystem. Vendors implicated in the infections must re-evaluate their software development and distribution pipelines to reduce the likelihood of future compromises. This includes strengthening code review processes, implementing stricter security scanning of new releases, and adopting transparent, auditable supply-chain controls that can be validated by customers and security researchers.
Detection, remediation, and guidance for site owners
For merchants and developers operating Magento-based storefronts, the following guidance reflects the core lessons drawn from this incident and aligns with best practices in supply-chain security, incident response, and data-protection hygiene:
- Perform a thorough inventory of all installed extensions from Tigren, Magesolution (MGS), Meetanshi, and any related components, including those from Weltpixel. Cross-reference with the vendor’s official release notes and security advisories to identify versions known to be affected by the backdoor.
- Conduct targeted code reviews of extensions identified as infected, focusing on the presence of licensing-related entry points, unusual function calls, and suspicious file paths that can load hidden PHP code into the storefront or visitor sessions.
- Specifically inspect for backdoor indicators such as a function that loads a license file and triggers a chain of internal calls culminating in the execution of PHP code on the server or on client devices. While the exact code paths can vary, the general pattern involves a license-loading sequence that becomes a launching point for remote command execution.
- Verify whether your deployment includes a backdoored version of any extension and, if so, upgrade to patched versions provided by the vendor or replace the component with a trusted alternative. Do not rely on updates locked behind opaque distribution channels; validate the integrity of all vendor software before applying updates.
- Implement additional integrity checks on all storefront codepaths that interact with payment processing. This includes hardening the server against arbitrary PHP execution, restricting file inclusion operations, and enforcing strict input validation for all user-supplied data.
- Strengthen monitoring around payment-related events and data flows. Look for anomalies in card data requests, unexpected script injections, or unexplained modifications to the storefront’s behavior during checkout or cart operations.
- Consider network segmentation and least-privilege access controls for storefront servers. Limit the exposure of critical payment processing components and reduce the risk of an attacker moving laterally once they gain initial access.
- Engage in a structured incident-response workflow if compromise is suspected. This includes isolating affected environments, preserving forensic artifacts, notifying relevant stakeholders, and coordinating with the software vendors to ensure clean remediation and verifiable restoration.
- Document the remediation steps taken, the extensions removed or updated, and the verification results. Maintain a clear chain of custody for any forensic data and provide a post-incident report that can be used to strengthen future defenses.
- Communicate with customers and stakeholders transparently about the incident, without disclosing sensitive internal details. Provide guidance on safe shopping practices and steps customers can take to protect their payment information if they interacted with compromised storefronts.
- Maintain ongoing collaboration with security researchers and vendors to monitor for new indicators of compromise and to stay ahead of evolving threat tactics that combine supply-chain weaknesses with browser-based data theft.
The guidance above emphasizes proactive defense, rapid detection, and robust incident response to minimize the impact of supply-chain intrusions like the one described. While the precise technical details of how each affected extension operates can vary, the underlying principle remains consistent: a compromised supply chain can enable attackers to gain deep access and exfiltrate payment data through legitimate-looking software channels, underscoring the importance of vigilant governance and continuous security validation.
Industry implications and ongoing investigation
The scale of this supply-chain attack highlights several enduring challenges in modern e-commerce security. First, the collaboration between multiple vendors—each responsible for a portion of the storefront’s functionality—creates a broader attack surface that is harder to secure than any single monolithic system. When a backdoor is embedded in one component, it can propagate through updates and forks, reaching potentially thousands of sites that depend on those components for core functionality.
Second, the six-year dormancy period observed in this incident demonstrates the difficulty of detecting sophisticated backdoors that wait for a triggering condition. Delayed or dormant threats complicate threat hunting and retrospective analysis, making it essential for security teams to implement continuous monitoring, regular integrity checks, and comprehensive supply-chain risk assessments. The rarity of such long-latent backdoors makes this discovery particularly noteworthy to researchers and merchants alike, prompting renewed attention to the temporal dimension of threat detection and the value of continuous verification across software ecosystems.
Third, the incident underscores the critical importance of vendor transparency and secure software distribution practices. Merchants rely on extension providers to supply secure, well-vetted components, but when a trusted vendor’s distribution chain is compromised, the impact can be widespread. The ongoing investigation by Sansec and partners seeks to determine the breadth of the compromise, identify all affected extensions, and map the flow of tainted software from the original providers to downstream customers. This process is essential for accurately assessing risk, informing remediation priorities, and preventing recurrence.
From a consumer protection standpoint, the combination of backdoors on servers and browser-based data theft compounds risk for shoppers. Payment card details and other sensitive information are among the most valuable targets for cybercriminals, and the presence of a backdoor increases the likelihood that attackers can intercept and exfiltrate data at checkout or during user sessions. The industry response to this threat must balance rapid remediation with careful verification to ensure that customer data remains protected as storefronts return to normal operations.
Researchers emphasize that ongoing collaboration is crucial. Security teams, merchants, platform providers, and extension developers must share findings and indicators of compromise to accelerate detection and remediation. The goal is not merely to remove malicious code but to strengthen the entire software supply chain—reducing the odds that similar backdoor intrusions can reemerge in the future. The Magento ecosystem, given its popularity and openness, requires continued diligence from all stakeholders to sustain trust and resilience in e-commerce environments.
Conclusion
The recent supply-chain attack that backdoored Magento-based extensions from Tigren, Magesolution, and Meetanshi—potentially affecting hundreds of e-commerce sites and at least one major multinational company—represents a stark reminder of the vulnerabilities inherent in modern online retail ecosystems. By enabling remote code execution on servers and introducing browser-based data-skimming capabilities, the attack highlights how attackers can leverage trusted software channels to reach a broad audience of shoppers. The involvement of multiple vendors and the dormant-to-active transition observed in this campaign underscore the complexity of modern threat models and the importance of proactive supply-chain security.
Security researchers from Sansec have identified 21 infected extensions across the three affected vendors, with potential links to Weltpixel in some installations. Adobe’s long-standing custody of Magento adds another layer to the discussion about ecosystem security, vendor accountability, and coordinated remediation. As remediation efforts progress, merchants are urged to conduct thorough reviews of installed extensions, verify vendor integrity, and implement robust detection and response measures to minimize further risk. The incident serves as a call to action for the broader e-commerce community: to strengthen supply chains, accelerate timely software updates, and maintain vigilant monitoring to protect customer data and preserve trust in online shopping.
In the ongoing investigation, researchers will continue to analyze how the dormant backdoor achieved activation, which extensions were most heavily exploited, and how the attackers maintained persistence across diverse storefronts. As new information emerges, the industry will need to translate insights into concrete improvements—ensuring that the next generation of e-commerce platforms is better protected against supply-chain compromises and browser-based data theft. The lessons learned here will shape best practices for vendors, merchants, and security teams moving forward, emphasizing the enduring importance of rigorous software provenance, transparent risk communication, and comprehensive defense-in-depth strategies.
