Listen to this Post
Cybercriminals Exploit Old Code in Coordinated Supply Chain Attack Affecting Major Vendors and Online Stores Worldwide
A major supply chain cyberattack has rocked the Magento ecosystem, compromising between 500 and 1,000 online stores—one of which belongs to a \$40 billion multinational corporation. What makes this breach so alarming is not just its scale, but its patience: malicious code planted in as many as 21 Magento extensions lay dormant for six years before activating in April 2025. The coordinated attack has been traced to popular vendors such as Tigren, Meetanshi, and MGS.
Researchers at Dutch cybersecurity firm Sansec uncovered the attack and revealed that a shared PHP backdoor was embedded in various extensions as early as 2019. These extensions, used widely across Magento-powered e-commerce platforms, were silently waiting for a remote trigger—until now.
Summary of Key Developments (30 lines)
Scope of Attack: Between 500 and 1,000 Magento-based e-commerce websites compromised.
Notable Victim: A global enterprise valued at \$40 billion among affected companies.
Attack Method: Supply chain compromise through 21 infected third-party Magento extensions.
Vendors Involved:
Tigren: Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, MultiCOD.
Meetanshi: ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS.
MGS: Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, Blog.
Additional Extension: Weltpixel’s GoogleTagManager version may also be compromised.
Backdoor Details:
Malicious PHP code embedded in `License.php` or `LicenseApi.php`.
Checks for special HTTP request parameters (requestKey, dataSign) to activate.
Grants remote access, including uploading and executing arbitrary PHP scripts.
Evolution: Initial versions of the backdoor did not require authentication; new ones use hardcoded keys.
Activation: Dormant malware activated in April 2025, years after being planted.
Consequences:
Potential for data theft, admin account creation, credit card skimming, and full server compromise.
Attackers can upload and execute malicious scripts through the backdoor.
Vendor Responses:
MGS: No response to Sansec’s alert.
Tigren: Denies breach, still distributing infected code.
Meetanshi: Acknowledged server breach but denies extension compromise.
Sansec’s Findings:
The malware has a high level of sophistication and planning.
Some extensions remain publicly downloadable with the backdoor still present.
Immediate Action Advised:
Full malware scans.
Restoration from clean backups.
Monitoring of outgoing traffic and admin activity.
Ongoing Investigation: Sansec promises more details in coming weeks.
What Undercode Say:
This breach underscores the persistent and evolving threat of supply chain attacks, especially in environments reliant on third-party code such as Magento. The attackers demonstrated remarkable patience and precision, embedding malware that remained undetected for six years before initiating its payload. This isn’t just a cybersecurity failure—it’s a case study in how long-term strategic infiltration can silently fester within digital ecosystems.
The malware exploited trusted distribution channels. Developers and businesses often install Magento extensions assuming vendor legitimacy. By compromising well-known providers like Tigren, Meetanshi, and MGS, attackers piggybacked on the community’s trust to infiltrate a vast network of online retailers.
What’s particularly chilling is the deliberate delay in activation. The use of dormant code hints at a slow-burn strategy: rather than immediate gains, the perpetrators waited for the right moment to trigger the attack—perhaps coordinating with other activities or waiting for widespread adoption of the infected extensions.
Technically, the backdoor’s reliance on PHP’s include_once() function for executing injected license files is both subtle and effective. By tying the payload to license checks, the malware ensured it was triggered only when specific conditions were met—allowing attackers to selectively target victims.
The hardcoded keys in newer versions show that the threat actors are adapting, possibly learning from past detections. This evolution makes future attacks harder to identify and prevent using traditional signature-based detection methods.
The vendors’ varied responses are telling. Tigren’s denial, coupled with continued distribution of the infected extensions, is deeply irresponsible. MGS’s silence raises red flags, and while Meetanshi at least acknowledged a breach, their partial admission doesn’t inspire much confidence.
For companies, this is a harsh reminder that open-source doesn’t mean immune, and even trusted extensions can harbor dangerous code. Regular code audits, behavior-based threat detection, and strict vetting of third-party tools must become standard practice.
This attack also places new pressure on marketplaces and extension repositories. There’s a growing need for integrity checks, mandatory code audits, and improved transparency in extension update histories.
As for customers, the breach affects more than just backend infrastructure—it puts sensitive user data at risk, potentially leading to identity theft and credit card fraud. The ripple effect from these types of breaches can be enormous.
For Magento developers and site owners, this is a clarion call to:
Monitor for unusual admin activity,
Deploy file integrity monitoring systems,
Immediately cease usage of the affected extensions,
Push vendors for clearer communication and timely patches.
In cybersecurity, complacency is as dangerous as malicious code. This incident serves as both a wake-up call and a roadmap for future resilience.
Fact Checker Results:
The attack has been verified by both Sansec and BleepingComputer.
Independent confirmation exists for at least one infected extension (MGS StoreLocator).
All listed vendors were contacted, but only Meetanshi provided partial confirmation.
Prediction:
This incident will likely push Magento and similar platforms toward stricter vetting and verification processes for third-party extensions. Expect increased scrutiny on extension marketplaces, more businesses demanding signed code, and a potential shift toward zero-trust principles in extension deployment. As awareness spreads, vendors may face legal consequences, and users will demand more transparency and accountability in digital supply chains.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
