Cybercriminals have placed backdoors into the most popular apps of several e-commerce software vendors, giving them privileged access to client servers throughout the globe in a massive and well-planned supply chain attack.
Security firm Sansec has revealed that at least 21 widely used Magento extensions, distributed by three prominent vendors Tigren, Meetanshi, and Magesolution (MGS) have been compromised, with estimates suggesting that between 500 and 1,000 online stores are currently operating with backdoored components.
Alarmingly, these malicious implants were quietly seeded into the software as far back as six years ago, only to be remotely activated in recent days.
Long-Term Intrusion Activated on the Eve of Attack
The exposed attack vector is especially insidious due to its long dormancy. While the malware was stealthily injected into vendor packages between 2019 and 2022, it lay inert until attackers reactivated it starting April 20th, 2025.
This enabled cybercriminals to bypass security checks and evade detection for years, before suddenly leveraging their persistent access to seize control over e-commerce servers.
Among the victims is a multinational retailer with annual revenues north of $40 billion, underscoring the scale and potential fallout of the breach.
The compromised software includes critical e-commerce modules such as Ajaxsuite, Ajaxcart, Ajaxlogin, and MultiCOD from Tigren; ImageClean, CookieNotice, and CurrencySwitcher from Meetanshi; as well as Lookbook, GDPR, Blog, and Portfolio from MGS.
Sansec’s investigation indicates that the attackers breached the software vendors’ download servers, inserting identical backdoor code across all affected modules.
They further discovered a tainted Weltpixel GoogleTagManager extension, though it remains unclear whether the core Weltpixel infrastructure was compromised.
Technical Anatomy of the Backdoor
At the core of the backdoor is a malicious “license check” – a ruse implemented via a file, License.php or LicenseApi.php, embedded within the modules.
The critical function, named adminLoadLicense, allows attackers to execute arbitrary PHP code on a targeted store by loading a controlled license file through another function, adminUploadLicense.
Notably, in earlier module versions, this exploit requires no authentication, giving cybercriminals unimpeded access.
In later revisions, access is gated by a hardcoded secret key and checksum, with each vendor employing their own unique key and license filename.
The activation of the hostile code is triggered within the registration.php file, which checks for and includes the backdoored License.php script during module registration.
In practice, this mechanism hands attackers the keys to the store’s administrative backend with the potential to steal customer data, manipulate transactions, inject further malware, or disrupt business operations.
This latest supply chain breach serves as a stark warning to the e-commerce ecosystem.
By compromising a handful of trusted software vendors, attackers have effectively penetrated hundreds of downstream businesses and, by extension, jeopardized millions of customers’ data.
Online merchants currently using extensions from Tigren, MGS, or Meetanshi are advised to audit their installations immediately, searching specifically for the telltale License.php or LicenseApi.php files and scrutinizing any anomalies within the affected modules.
The incident underscores the criticality of rigorous supply chain security and continuous monitoring, as attackers increasingly turn to these stealthy, indirect vectors to compromise high-value targets.
With the malicious code active and in the wild, swift remediation is essential to prevent further exploitation and safeguard the broader e-commerce landscape.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
