A coordinated supply chain attack has compromised between 500 and 1,000 Magento-based e-commerce websites through 21 backdoored extensions, according to new research from cybersecurity firm Sansec. The breach affected sites globally, including the one being operated by a multinational corporation valued at $40 billion.
Sansec revealed that malicious code was injected into the extensions as far back as 2019. However, it remained inactive until April 2025, when attackers remotely activated the malware and seized control of vulnerable servers. “Multiple vendors were hacked in a coordinated supply chain attack,” Sansec reported. “Curiously, the malware was injected six years ago, but came to life this week.”
The compromised extensions originate from well-known Magento vendors Tigren, Meetanshi, and MGS. Affected extensions include:
Tigren: Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, MultiCOD
Meetanshi: ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS
MGS: Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, Blog.
Tigren: Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, MultiCOD
Meetanshi: ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS
MGS: Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, Blog.
Additionally, a version of the Weltpixel GoogleTagManager extension was found with similar code, though Sansec could not verify whether the source was the vendor or an already-infected site.
The malware was embedded in files named License.php or LicenseApi.php — components that typically manage license validation for the extensions. The backdoor listens for
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: