A significant supply chain attack involving 21 compromised Magento extensions has impacted between 500 and 1,000 e-commerce stores, including one owned by a billion multinational. The malicious code, which was dormant for six years, was activated in April 2025, allowing attackers to take control of affected servers. Key vendors affected include Tigren, Meetanshi, and MGS.
Keypoints :
- The attack compromised numerous e-commerce stores through backdoored Magento extensions.
- The malware was injected into the extensions as early as 2019 but activated recently, leading to significant security risks.
- Compromised extensions are from vendors Tigren, Meetanshi, and MGS, with the MGS StoreLocator extension confirmed to harbor the backdoor.
- Attackers can exploit the backdoor to upload arbitrary PHP code, leading to potential data theft and unauthorized admin account creation.
- Sansec has informed the affected vendors, with varying responses regarding the breaches.
- Users are advised to conduct thorough server scans and restore from clean backups if necessary.