HQ/EMEAFind out how we can help your business
A supply chain attack involving 21 malware-infected Magento extensions has affected between 500 and 1,000 e-commerce stores, including one belonging to a multi-billion-dollar multinational corporation.
Researchers who discovered the attack report that some extensions had been compromised as early as 2019, but the malicious code was only activated in April 2025.
Reports revealed that multiple vendors were attacked in a coordinated effort, allowing the investigators to identify 21 applications containing the same malware.
This new Magento supply chain attack is years in the making.
According to investigations, the Magento attack was set up long ago, as the malware was injected six years ago. Still, it became active last week as attackers gained complete control over the e-commerce servers.
The researchers also list the compromised extensions from vendors, including six Tigren extensions, six Meetanshi extensions, and nine MGS extensions.
Additionally, a compromised version of the Weltpixel GoogleTagManager extension was found, though it’s unclear whether the compromise occurred at the vendor level or the website itself.
In all reported cases, the extensions contain a PHP backdoor added to a license verification file (License.php or LicenseApi.php) used by the extension.
This malicious code searches for HTTP requests with specific parameters labelled “requestKey” and “dataSign,” which are used for verification against hardcoded keys within the PHP files.
If the verification is successful, the backdoor provides access to additional admin functions within the file, including an option that allows a remote user to upload a new license and save it as a file.
This file is then included through a PHP function, enabling the automatic loading and execution of any code in the uploaded license file. Researchers noted that earlier variations of the backdoor did not require authentication, while newer versions use a hardcoded key.
Furthermore, this backdoor was used to upload a web shell to one of the client’s websites. The ability to upload and execute any PHP code poses serious risks, including data theft, the installation of skimmers, arbitrary admin account creation, and more.
Separate research has confirmed that this backdoor is present in the MGS StoreLocator extension, which can be downloaded for free from their website. However, the researchers could not verify whether the backdoor exists in the other extensions identified by the initial investigators.
Therefore, users of the extensions mentioned are urged to conduct thorough server scans for the indicators of compromise and, if possible, restore sites from a verified clean backup.
