A coordinated supply chain attack has compromised between 500 and 1,000 Magento-based e-commerce websites through 21 backdoored extensions, according to new research from cybersecurity firm Sansec. The breach affected sites globally, including the one being operated by a multinational corporation valued at $40 billion.
Sansec revealed that malicious code was injected into the extensions as far back as 2019. However, it remained inactive until April 2025, when attackers remotely activated the malware and seized control of vulnerable servers. “Multiple vendors were hacked in a coordinated supply chain attack,” Sansec reported. “Curiously, the malware was injected six years ago, but came to life this week.”
The compromised extensions originate from well-known Magento vendors Tigren, Meetanshi, and MGS. Affected extensions include:
Tigren: Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, MultiCOD
Meetanshi: ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS
MGS: Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, Blog.
Additionally, a version of the Weltpixel GoogleTagManager extension was found with similar code, though Sansec could not verify whether the source was the vendor or an already-infected site.
The malware was embedded in files named License.php or LicenseApi.php — components that typically manage license validation for the extensions. The backdoor listens for HTTP requests containing special parameters like requestKey and dataSign.
When matched against hardcoded keys, it grants attackers access to admin-level functionality, including the ability to upload files. These files can then be executed through PHP’s include_once() function, opening the door for data theft, credit card skimming, admin account creation, and complete server control.
Earlier variants of the backdoor didn’t require any authentication.
However, recent versions now rely on a static key for limited protection. Sansec confirmed that this method was used to deploy a web shell on at least one client’s server.
When alerted, vendor responses varied. MGS did not respond. Tigren denied any security breach and reportedly continues to distribute the compromised code. Meetanshi acknowledged a server intrusion but denied their extensions were affected.
BleepingComputer independently verified the presence of the backdoor in the MGS StoreLocator extension, which is still available for download.
Sansec recommends that any site using the listed extensions immediately conduct full server scans and review indicators of compromise.
Ideally, websites should be restored from a verified, clean backup.
The security firm also highlighted the unusual delay between the malware’s insertion and its activation, suggesting the attack was carefully planned over a long timeline. An expanded investigation is ongoing.