Supply chain attack compromises Magento E-commerce extensions
Take action: If you're using Magento e-commerce and have extensions from Tigren, Meetanshi, MGS, or Weltpixel, immediately review the servers for backdoors in License.php or LicenseApi.php files and remove them. Investigate the depth of breach and any customers of data compromised and restore from clean backups. You may have customers compromised as well.
Learn More
A coordinated supply chain attack targeting multiple Magento extension vendors has compromised between 500 and 1,000 e-commerce stores worldwide, including one belonging to a $40 billion multinational corporation. Security researchers at Sansec discovered malicious backdoors in 21 different Magento extensions from three primary vendors.
The backdoors were initially injected as far back as 2019, but remained dormant for approximately six years until being activated in April 2025. Sansec researchers confirmed that the backdoors have been actively exploited since at least April 20th, 2025.
The compromised extensions come from three primary vendors:
Tigren:
- Ajaxsuite
- Ajaxcart
- Ajaxlogin
- Ajaxcompare
- Ajaxwishlist
- MultiCOD
Meetanshi:
- ImageClean
- CookieNotice
- Flatshipping
- FacebookChat
- CurrencySwitcher
- DeferJS
MGS (Magesolution):
- Lookbook
- StoreLocator
- Brand
- GDPR
- Portfolio
- Popup
- DeliveryTime
- ProductTabs
- Blog
Researchers also found a backdoored version of the Weltpixel GoogleTagManager extension but could not definitively determine whether the compromise occurred at Weltpixel or at specific stores using this extension.
The backdoor operates through a malicious code injection in license verification files named License.php or LicenseApi.php. The malicious functionality is contained in an adminLoadLicense function that executes PHP code from a license file that can be controlled by attackers.
In versions released in 2019, this malicious functionality didn't require authentication. Later versions implemented authentication through a secret key that must match a hardcoded checksum and salt:
class License { const SECURE_KEY = '83ba291cd9201e9a28173741bac82745'; const SIGN_KEY = 'afa3a778bd34181c44f2dfe1de8aff05';The backdoor code is activated through a registration.php file and has slight variations between vendors, including different authorization checksums, backdoor paths, and license filenames.
The backdoor mechanism checks for HTTP requests containing special parameters named "requestKey" and "dataSign," which are verified against hardcoded keys in the PHP files. Once authenticated, the backdoor allows remote users to upload new "license" files containing arbitrary PHP code that gets automatically executed.
This backdoor has been used to upload webshells to compromised websites. Given the ability to execute arbitrary PHP code, the potential impacts include data theft, skimmer injection, unauthorized admin account creation, and more.
When contacted about the backdoors:
- MGS (Magesolution) did not respond, and backdoored packages were still available for download from their site as of April 30th.
- Tigren denied being hacked, despite backdoored packages remaining available on their site as of April 30th.
- Meetanshi confirmed their server was hacked but denied that their software had been tampered with.
BleepingComputer independently verified the presence of the backdoor in the MGS StoreLocator extension, which was freely available for download from the vendor's site.
Potentially affected stores should perform a security review to check for the backdoor presence and remove identified fake License files. If you find any compromised files, perform complete server scans for the indicators of compromise and, if possible, restore affected sites from known-clean backups. Users should be very careful about utilizing software from the affected vendors.
