A supply chain attack involving 21 backdoored Magento extensions has compromised between 500 and 1,000 e-commerce stores, including one belonging to a $40 billion multinational company. Sansec researchers discovered that some of the backdoors had been planted as early as 2019, but the malicious code remained dormant until April 2025, when it was activated. The attack is linked to compromised extensions from vendors Tigren, Meetanshi, and MGS, with some versions of the backdoor dating back to 2019. Despite the six-year delay, the attackers managed to take full control of e-commerce servers after activating the malicious code.
The backdoored extensions include PHP code hidden in the license check files, such as License.php or LicenseApi.php.
These files contain a backdoor that checks for specific HTTP requests, and if successful, the attacker gains access to other admin functions. This backdoor enables remote users to upload a new license and execute PHP code, which can lead to severe consequences such as data theft and skimmer injection. The ability to run arbitrary PHP code on the server raises concerns over administrative account hijacking and other malicious activities.
Sansec’s report also identified compromised versions of the Weltpixel GoogleTagManager extension, though the point of compromise could not be determined. The cybersecurity firm has already contacted the affected vendors, but responses have been mixed. MGS has yet to respond, Tigren denied the breach but continued distributing the malicious extensions, and Meetanshi admitted to a server breach, but not the extension compromise.
This lack of cooperation from vendors has left many e-commerce businesses vulnerable to further exploitation.
Sansec recommends that users of the affected extensions perform complete server scans to check for indicators of compromise shared in the report. It also advises restoring from a clean backup if possible to mitigate the risk. The firm continues to investigate the peculiar timing of the attack, which involved a six-year delay before the backdoor was activated. Sansec promises to release more details as the investigation progresses, urging all Magento users to stay vigilant.
Reference:
