- Sansec found 21 Magento extensions with malicious code
- The extensions belong to three companies, who claim everything’s in order
- Users are advised to take immediate action
Hundreds of ecommerce websites, including at least one major player, behemoth, have been compromised after poisoned Magento extensions woke up from a six-year slumber.
Cybersecurity researchers Sansec discovered the supply chain attack after one of its clients was targeted, ultimately finding 21 backdoored Magento extensions, belonging to three companies: Tigren, Meetanshi, and MSG. Here are their names:
Tigren Ajaxsuite
Tigren Ajaxcart
Tigren Ajaxlogin
Tigren Ajaxcompare
Tigren Ajaxwishlist
Tigren MultiCOD
Meetanshi ImageClean
Meetanshi CookieNotice
Meetanshi Flatshipping
Meetanshi FacebookChat
Meetanshi CurrencySwitcher
Meetanshi DeferJS
MGS Lookbook
MGS StoreLocator
MGS Brand
MGS GDPR
MGS Portfolio
MGS Popup
MGS DeliveryTime
MGS ProductTabs
MGS Blog
The long con
The company says some of the extensions were backdoored back in 2019. According to CyberInsider, the extensions were distributed via the vendors’ official download servers, which were “breached at some point”.
However, the attackers only activated the malicious code in April 2025. In the meantime, hundreds of ecommerce websites installed them, which resulted in the compromise of roughly 500 – 1,000 websites, including one owned by a $40 billion multinational corporation.
Sansec says that the attackers added a PHP backdoor to the license check file of all of the extensions, which allowed the threat actors to execute arbitrary PHP code remotely.
This granted them control over affected stores, compromising sensitive customer data and financial transactions in the process.
The researchers said they reached out to the three vendors with their findings, but got mixed responses.
Tigren denied having been breached and is allegedly still serving backdoored extensions, while Meetanshi confirmed having been breached but denied experiencing an extension compromise.
Finally, MGS did not even respond to Sansec’s inquiries, even though BleepingComputer confirmed the backdoor in at least one extension that’s currently on offer, for free, on the company website.
If you’re running a Magento store with any of the above-mentioned extensions, you should act immediately and secure your assets.
Via BleepingComputer
