Cybersecurity researchers at Sansec have uncovered a sophisticated supply chain attack targeting the Magento e-commerce ecosystem, affecting between 500 and 1,000 online stores. The attack, which remained dormant since 2019, was strategically activated in April 2024, demonstrating an unprecedented level of patience and planning by the threat actors.
Technical Analysis of the Attack Vector
The attackers implemented a sophisticated PHP backdoor within the license verification modules (License.php or LicenseApi.php) of affected extensions. The malicious code was designed to intercept HTTP requests containing specific requestKey and dataSign parameters, validating them against pre-configured keys. Upon successful validation, the backdoor granted unauthorized access to advanced administrative functions, including the capability to execute arbitrary PHP code.
Scope of Compromise and Affected Vendors
The investigation revealed that extensions from several prominent vendors were compromised, including Tigren, Meetanshi, and MGS (Magesolution). A compromised version of Weltpixel GoogleTagManager was also identified, though the exact infection vector remains unclear. The vendor responses have varied significantly, with MGS failing to acknowledge the issue, Tigren denying the breach, and Meetanshi admitting to server compromise while disputing extension infection.
Security Implications and Attack Capabilities
The backdoor provided attackers with extensive control over compromised systems, enabling them to:
- Deploy web skimmers for payment data theft
- Extract sensitive customer information
- Create unauthorized administrative accounts
- Execute additional malicious payloads
Mitigation Strategies and Recommendations
Security experts recommend that affected store owners implement immediate remediation measures, including:
- Conducting comprehensive server security audits
- Performing clean installations from verified sources
- Restoring systems from pre-compromise backups
- Implementing enhanced monitoring solutions
This incident highlights the evolving sophistication of supply chain attacks and underscores the critical importance of thorough security vetting for third-party extensions. With a major multinational corporation among the victims, reporting annual revenue of $40 billion, the attack demonstrates that even well-resourced organizations can fall prey to supply chain compromises. The cybersecurity community continues to monitor this situation closely, emphasizing the need for improved security practices in the e-commerce ecosystem and regular security audits of all deployed components.
