Sansec Uncovers Massive Supply Chain Attack: 21 Compromised Magento Extensions Hit 500-1000 E-Stores
TL;DR
Sansec has revealed a significant supply chain attack involving 21 compromised Magento extensions, affecting between 500 and 1,000 e-stores. The attack, discovered by Alexandra Zota, has been ongoing for six years but was only recently detected. The compromised extensions allowed attackers to control e-stores by exploiting backdoors in popular e-commerce software.
Supply Chain Attack via 21 Backdoored Magento Extensions Impacts 500-1000 E-Stores
Security researchers at Sansec have uncovered a coordinated supply chain attack targeting multiple vendors, with 21 Magento extensions found to contain hidden backdoors. Surprisingly, the malicious code was injected six years ago, but the attack was only discovered this week after the threat actors compromised e-commerce servers. The researchers estimate that between 500 and 1,000 e-stores, including a $40 billion multinational corporation, have been affected by these backdoored extensions.
Discovery and Impact
The attack was initially discovered by Alexandra Zota. Sansec’s investigation revealed that threat actors breached the download servers of Tigren, Magesolution (MGS), and Meetanshi, injecting backdoors into their software. This allowed the attackers to take control of their customers’ e-stores.
“Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular e-commerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022.” 1
Compromised Extensions
The backdoored extensions, published between 2019 and 2022, include:
| Vendor | Package |
|---|---|
| Tigren | Ajaxsuite |
| Tigren | Ajaxcart |
| Tigren | Ajaxlogin |
| Tigren | Ajaxcompare |
| Tigren | Ajaxwishlist |
| Tigren | MultiCOD |
| Meetanshi | ImageClean |
| Meetanshi | CookieNotice |
| Meetanshi | Flatshipping |
| Meetanshi | FacebookChat |
| Meetanshi | CurrencySwitcher |
| Meetanshi | DeferJS |
| MGS | Lookbook |
| MGS | StoreLocator |
| MGS | Brand |
| MGS | GDPR |
| MGS | Portfolio |
| MGS | Popup |
| MGS | DeliveryTime |
| MGS | ProductTabs |
| MGS | Blog |
Technical Details
The analysis of the malicious extensions revealed that the backdoor involves a fake license check in a file called License.php or LicenseApi.php, allowing attackers to control the $licenseFile variable. In older versions (2019), this required no authentication, but newer versions require a secret key.
“The evil is in the
adminLoadLicensefunction, which executes$licenseFileas PHP.” The$licenseFilecan be controlled by the attacker using theadminUploadLicensefunction. In versions from 2019 this does not require any authentication.” 1
The fake license check was activated via registration.php, and each vendor’s backdoor had a unique checksum, path, and filename.
Vendor Responses
Sansec contacted the impacted vendors and received varying responses:
- Tigren: Denies being hacked, but their packages are still online.
- Meetanshi: Claims no tampering but confirms their server was hacked.
- Magesolution (MGS): Did not respond, but backdoored packages are still available.
“It is rare that a backdoor remains undetected for 6 years, but it is even stranger that actual abuse has only started now.” 1
Follow-Up and Resources
For more details, visit the full article: source
Follow me on:
For further insights, check:
-
Sansec (2025). “Sansec Uncovered A Supply Chain Attack Via 21 Backdoored Magento Extensions”. Retrieved 2025-05-05. ↩︎ ↩︎2 ↩︎3