Listen to this Post
A sweeping supply chain attack has rocked the e-commerce world, revealing that malicious actors quietly injected backdoors into 21 software extensions used by hundreds of online stores. In a shocking twist, the backdoor code was embedded as far back as six years agoābut it wasn’t discovered until now, when attackers suddenly activated it. The implications are severe, highlighting a glaring risk in the software supply chain for platforms like Magento.
Cybersecurity researchers at Sansec uncovered the campaign after noticing unusual activity on compromised e-commerce servers. It turned out that the attackers had breached the download infrastructure of three major vendors: Tigren, Meetanshi, and Magesolution (MGS). By embedding malicious logic into legitimate extensions, the attackers silently weaponized tools used by hundreds of online retailers.
the Attack
Scope: Between 500 and 1,000 e-commerce websites were potentially compromised via infected third-party Magento extensions.
Backdoor Duration: The malware was injected at least six years ago but remained dormant or undetected until April 2025.
Key Discovery: Credit goes to Alexandra Zota for initially flagging suspicious activity.
Attack Type: This is classified as a Supply Chain Attack, one of the most dangerous forms of cyber threats due to its reach and stealth.
Vendor Infiltration: The attackers compromised software download servers of:
Tigren
Meetanshi
Magesolution (MGS)
Notable Victims: Hundreds of stores, including a global enterprise worth \$40 billion, are running compromised versions.
Malicious Technique: A fake license verification system embedded in files like License.php and LicenseApi.php allowed attackers to execute arbitrary PHP code by manipulating the $licenseFile variable.
Authentication Loopholes: Older versions allowed unauthenticated access; newer ones required a secret keyābut both could be abused.
Packages Affected: 21 extensions, including Ajaxcart, FacebookChat, GDPR, StoreLocator, and CurrencySwitcher.
Backdoor Activation: The adminLoadLicense function executed malicious payloads. Activation was done through registration.php.
Checksums and Signatures: Each vendorās backdoor had unique characteristics to evade detection.
Vendor Responses:
Tigren: Denies breach; affected packages still online.
Meetanshi: Admits server breach but claims no evidence of code tampering.
MGS: No response; compromised packages remain accessible.
Sansec Statement: Itās rare for a backdoor to go unnoticed for six yearsārarer still that its abuse only began recently.
What Undercode Say:
This event is one of the most instructive case studies in modern digital supply chain security. The idea that a silent backdoor could persist in production-level software for over half a decade without detection should terrify any developer or system administrator. Let’s break down the critical failings and takeaways:
- Supply Chain Weakness Is the New Perimeter Breach
Hackers no longer need to directly target victims. Instead, by infiltrating trusted vendors, they inherit access to hundreds of downstream systems. In this case, just three vendor breaches gave access to nearly a thousand stores.
2. Software Trust Is Not Security
Most developers or system integrators blindly trust third-party modules without verifying codebases, especially when sourced from official or reputable vendors. This attack leveraged that exact trust to persist undetected.
3. The Six-Year Silence: A Strategic Delay?
Why would attackers wait six years to activate the backdoor? Possibly to build maximum reach before exploitation. Or perhaps the initial intent was surveillance, with monetization only becoming a goal in recent months. This hints at a sophisticated, patient adversary.
4. Failures in Code Auditing and Monitoring
The malicious code relied on fake license checksāan unusual and easily auditable feature. Yet no one noticed, likely because few bother to examine what seems like routine licensing logic. This shows that even minor files need scrutiny.
5. Mixed Vendor Accountability
Tigrenās denial despite clear evidence, and MGSās silence, show how transparency is still lacking in the vendor community. Meetanshiās partial admission at least acknowledges the breach, but the lack of code verification weakens trust.
6. Impacts Beyond Direct Victims
Each compromised e-store potentially exposed its
7. Indicators of Advanced Persistent Threat (APT)
The length of dormancy, targeted vendor selection, and precision of backdoor placement all resemble tactics associated with state-sponsored or highly resourced threat groups.
8. Magento and the Risk of Legacy Platforms
Magento’s ecosystem, while powerful, is prone to fragmentation and reliance on outdated modules. This environment is ripe for backdoors, especially in extensions with low update cycles.
9. Urgent Need for Extension Integrity Checks
There should be cryptographic signing and verification for all third-party packages. Platforms must force hash verification before deployment.
10. AI in Future Detection
Machine learning models trained on benign vs malicious code structures could, if implemented properly, have detected these anomalies years ago. This attack underlines the need for AI-driven static and dynamic analysis in software pipelines.
This is more than a breachāitās a systemic failure. The risk of inherited trust in development ecosystems has been laid bare. Itās a wake-up call for every company using third-party code, especially in e-commerce, where stakes are higher.
Fact Checker Results
- Claim: Backdoor was active for 6 years ā ā Confirmed by Sansec forensic timestamps and release dates.
- Vendor denial vs evidence ā ā Tigren denies hack, but affected code remains live and traceable.
- Attack vector used fake licensing logic ā ā Verified in public Sansec disclosures and code samples.
Prediction
Given the exposure of this supply chain attack, more victims are likely to surface in the coming weeks. Regulatory bodies may initiate compliance reviews or lawsuits, particularly if consumer data was compromised. Vendors like Tigren and MGS will face significant reputational and possibly financial consequences. Meanwhile, Magento-based developers may begin mass auditing of all third-party extensions, triggering a wave of updates or discontinuations. This incident could finally catalyze stronger supply chain protection protocols across the entire e-commerce ecosystem.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
