A coordinated supply chain attack has compromised dozens of Magento-based ecommerce modules, injecting a sophisticated backdoor that lay dormant for six years before being activated in late April.
Dutch cybersecurity firm Sansec reports that between 500 and 1000 online stores — potentially including a $40 billion multinational retailer — are running backdoored software, granting attackers remote control over their systems.
Sansec identified identical malicious code hidden in 21 Magento extensions distributed by three prominent vendors: Tigren, Meetanshi, and Magesolution (MGS). These compromised packages, originally released between 2019 and 2022, were distributed via the vendors' official download servers, all of which were breached at some point. Sansec also identified a suspicious version of Weltpixel's GoogleTagManager extension, though it remains unclear whether Weltpixel itself was compromised or if the package was tampered with later.
Tigren, MGS, and Meetanshi are well-known third-party Magento module developers. Their extensions — used for cart handling, wishlists, GDPR compliance, shipping calculations, and more — are integrated into thousands of ecommerce websites globally, including enterprise-grade deployments. The backdoor, embedded in a fake license validation routine, enables arbitrary code execution via specially crafted PHP files, bypassing authentication in older versions and using hardcoded keys in later ones.
The core of the malware lies in the License.php or LicenseApi.php file, particularly in the adminLoadLicense() function, which executes attacker-supplied PHP code under the guise of license verification. Each vendor's package uses unique keys and filenames, but the underlying logic remains the same. In the Meetanshi_CookieNotice module, for example, the malicious code is conditionally loaded from the registration.php entry point — a standard Magento practice that helped the malware blend in unnoticed.
Sansec's timeline shows the backdoor has only become active since at least April 20, 2025, suggesting a delayed activation or a change in the attackers' tactics. The attack demonstrates a rare combination of long-term persistence and sudden exploitation, raising concerns about how such malware remained undiscovered for years.
Despite being notified, MGS and Tigren continue to distribute the backdoored packages on their websites as of April 30, 2025. MGS has not responded to the findings. Tigren denies any compromise, while Meetanshi acknowledged a server breach but claims its software remains intact — a statement at odds with Sansec's forensic evidence.
Magento store operators using any of the affected extensions are urged to act immediately. Key indicators of compromise include the presence of unusual license files (mtn-license, mgs-license, apj-license, or wlp-license) and calls to the adminUploadLicense and adminLoadLicense functions. Sansec's eComscan tool can detect these anomalies and assist with remediation.
Store operators should take the following actions to protect their websites:
- Audit all third-party Magento extensions, especially those from Tigren, Meetanshi, and MGS.
- Search for and remove the malicious license files (License.php or similarly named).
- Monitor for unauthorized admin activity dating back to April 20, 2025.
- Replace infected modules with clean versions or verified alternatives.
- Avoid downloading packages directly from affected vendors until the supply chain is confirmed secure.
Leave a Reply