A coordinated supply chain attack has come to light, compromising between 500 and 1,000 e-commerce stores globally through backdoored Magento extensions, according to cybersecurity researchers at Sansec.
The malware campaign, which affects 21 Magento extensions from at least four vendors, includes victims ranging from small online retailers to a multinational corporation valued at $40 billion.
“Multiple vendors were hacked in a coordinated supply chain attack,” Sansec reported. “We found 21 applications with the same backdoor. Curiously, the malware was injected six years ago, but came to life this week as attackers took full control of e-commerce servers. Sansec estimates that between 500 and 1000 stores are running backdoored software.”
Sansec's investigation revealed that some of the infected extensions had been containing malicious code since as early as 2019. However, the attackers only activated the embedded backdoors in April 2025.
The affected extensions are distributed by known Magento vendors, including Tigren, Meetanshi, and MGS. A compromised version of the Weltpixel GoogleTagManager extension was also identified, though Sansec could not confirm whether the breach originated at the vendor level or through another vector.
Tigren denied any breach, Meetanshi acknowledged a server breach but denied that any distributed extensions were affected. MGS has not responded to Sansec’s repeated alerts.
Each infected extension carries a stealthy PHP backdoor hidden within a file typically used for license checks—either License.php or LicenseApi.php. The malicious code listens for HTTP requests containing two specific parameters: requestKey and dataSign.
When these values match hardcoded keys in the PHP file, the backdoor silently activates, granting the attacker administrative-level capabilities. These include the ability to upload a new license file that can contain arbitrary code. Once uploaded, the malicious license is executed via the include_once() PHP function, giving attackers a direct foothold into the server.
Earlier versions of this backdoor required no authentication, but more recent iterations include hardcoded keys as a basic access control measure.
