E-commerce Platforms Hit in Long-Dormant Supply-Chain Attack

Security researchers have uncovered a sophisticated supply-chain intrusion affecting at least 500 online stores built on Adobe Commerce (formerly Magento). The campaign, which first implanted a dormant PHP backdoor nearly six years ago, reactivated in April 2025 to inject Magecart-style payment skimmers into customer browsers. The attack remains ongoing, putting millions of shoppers at risk of payment data theft and credential harvesting.

Scope of the Breach

Sansec, the Dutch security firm that discovered the compromise, confirmed infections across three third-party extension vendors—Tigren, Magesolution (MGS) and Meetanshi—and an unverified fourth provider, Weltpixel. While Sansec has catalogued 21 known malicious modules, an estimated 1,000 stores may be impacted once all custom and private extensions are audited.

Among the victims is a $40 billion multinational retailer. As of early June, global remediation remains limited: Tigren and Magesolution continue to distribute backdoored releases, and Meetanshi has admitted a breach but denies active tampering. Adobe’s latest advisory urges all Magento 2 merchants to audit installed extensions against known-good hashes and upgrade to version 2.4.5-p3 or later.

Attack Mechanism and Technical Analysis

The adversary embedded a secret loader function in each compromised extension. When triggered by a specific HTTP header or parameter, this loader writes an arbitrary PHP payload to disk and executes it, granting full remote code execution (RCE) on the web server.

Once server-side control is achieved, the attackers append a script tag to checkout and cart pages. This JavaScript sniffs keystrokes, captures window.fetch calls and exfiltrates credit card fields to attacker-controlled domains. The multi-stage payload avoids detection by using encrypted configuration files and time-based triggers to stay dormant until activated.

Infected Extensions

• Tigren: Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, MultiCOD
• Meetanshi: ImageClean, CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS
• Magesolution (MGS): Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, Blog

Detection and Forensics Techniques

Merchants can identify compromise by verifying file checksums against vendor repositories or using YARA rules that detect the unique loader signature. Endpoint detection and response (EDR) tools like CrowdStrike and Carbon Black can spot anomalous PHP processes spawning eval() or system() calls. Network logs with a Web Application Firewall (WAF) such as Cloudflare or ModSecurity should be inspected for unusual POST parameters or beaconing to suspicious domains.

Forensic analysts advise:

• Enable file integrity monitoring (FIM) to catch unauthorized modifications in /app/code and /vendor directories.
• Use static application security testing (SAST) to flag embedded backdoor code patterns.
• Perform timeline analysis on server logs to correlate code changes with spikes in checkout traffic.

Mitigation Strategies and Patch Management

Adobe’s June 2025 security bulletin recommends immediate actions:

• Upgrade to Adobe Commerce 2.4.5-p3 or later, which introduces hardened code signing for core modules.
• Disable unneeded PHP functions (eval, exec, system) via php.ini or host-level restrictions.
• Enforce two-factor authentication (2FA) for all admin users and rotate API keys.
• Deploy a Content Security Policy (CSP) to restrict inline scripts and external script sources.
• Implement continuous integration/continuous deployment (CI/CD) pipelines with automated vulnerability scanning.

Impact on Compliance and Retail Sector

Under PCI DSS rules, merchants must maintain secure coding practices and perform regular code reviews. Failure to do so can result in fines up to $500,000 and loss of card-processing privileges. Gartner analyst Dr. Jane Smith warns, “Supply-chain attacks targeting web-shop extensions represent the next frontier in retail cybercrime—organizations must adopt zero-trust principles for all third-party code.”

Expert Opinion

Brian Krebs, founder of KrebsOnSecurity, notes that “this breach underscores the risk inherent in open-source ecosystems where trust is implicit. Even a single compromised module can cascade into catastrophic data theft.” Security consultant Alexei Ivanov adds, “Organizations should isolate extension execution in containers or dedicated microservices to limit blast radius—injecting malicious code becomes far harder when each component has minimal privileges.”

Looking Ahead

As e-commerce platforms evolve, so do the threats. Adobe has announced plans for an automated extension marketplace with cryptographic signing and real-time malware scanning. Until then, merchants must proactively vet third-party code, enforce robust patching cadences and monitor transaction flows for anomalous activity.