Malware in Magento Store Plugins
Malware campaign widespread affecting hundreds of Magento-powered online stores. This supply chain attack used compromised third-party plugins to quietly install backdoors.
The attack impacted between 500 and 1,000 e-commerce sites. Shockingly, the malicious code had been hidden in popular extensions for years. However, the malware was only activated in April 2025, suggesting a long-term, well-planned operation.
Hidden Malware in 21 Plugins
According to the report, 21 Magento plugins contained the same hidden backdoor. These extensions came from vendors such as Tigren, Meetanshi, and MGS. In one case, a \$40 billion multinational company was affected.
For example, plugins like Ajaxsuite, MultiCOD, FacebookChat, and StoreLocator were among the infected. Some of these are widely used, making the potential reach of the attack even more alarming.
The backdoor was placed in files like License.php or LicenseApi.php. These files handled license checks and were easy targets for code injection. If a remote attacker sent a request with two special parameters, the plugin would verify them against hardcoded keys.
Once verified, the system would allow the attacker to upload a new file disguised as a license. This file would then be executed on the server, allowing full remote control. As a result, attackers could steal data, create admin users, or inject harmful scripts.
Earlier versions of the backdoor needed no authentication. However, newer versions added a hardcoded key to limit access. Despite this, researchers confirmed that it was used to upload webshells and execute PHP code remotely on victim sites.
The danger is real. With access to PHP execution, an attacker can do almost anything — from injecting payment skimmers to installing persistent malware or altering user data.
In response, researchers contacted the affected vendors. One denied the breach, another admitted a server issue, and one did not respond at all. At least one plugin is still publicly available with the malicious code intact.
How to Protect Your Magento Store
To avoid such threats, store owners should regularly audit installed plugins. Remove any unnecessary or outdated extensions. Therefore, only use trusted sources and verify checksums when possible.
Keep Magento and all extensions up to date. Use file integrity monitoring to detect unauthorized changes. Also, consider scanning server files regularly for suspicious content or unknown PHP scripts.
Lastly, if you’re unsure about an extension, isolate it in a test environment before installing it live. Prevention is far easier than recovering from a breach.
Sleep well, we got you covered.
