- Sansec found 21 Magento extensions with malicious code
- Extensions belong to three companies, which claim everything in order
- Users are advised to take immediate measures
Hundreds of electronic commerce websites, including at least one major player, Behemoth, were compromised after Magento’s poisoned extensions woke up with a six -year sleep.
Cybersecurity researchers Sansec discovered the attack on the supply chain after one of its customers was targeted, finally finding 21 Magento extensions to spilled, belonging to three companies: Tigren, Meetanshi and MSG. Here are their names:
Tigren ajaxsuite
Tigren Ajaxcart
Tigren ajaxlogin
Tigren AjaxCompare
Tigren ajaxwishlist
Tigren Multicod
Meeetanshi imageclean
Metanshi Cookienotice
Metanshi Flatshipping
Facebook meeetanshi
Meetanshi Currencyswitcher
Meetanshi Deferjs
MGS lookbook
MGS Storelocator
MGS brand
MGS RGPD
MGS wallet
Popup MGS
MGS Deliverytime
MGS Producttabs
MGS blog
Long con
The company claims that some of the extensions were rear in 2019. According to CyberinsiderThe extensions were distributed via the official download servers of suppliers, who were “raped at some point”.
However, the attackers activated the malicious code in April 2025. In the meantime, hundreds of electronic commerce websites have installed them, which led to the compromise of around 500 to 1,000 websites, including a multinational company of $ 40 billion.
Without EC says that the attackers added a PHP stolen door to the license verification file of all extensions, which allowed the actors of the threat to carry out the arbitrary PHP code remotely.
This allowed them to control affected stores, compromising sensitive customer data and financial transactions in the process.
The researchers said they had contacted the three sellers with their results, but obtained mixed responses.
Tigren denied having been violated and would still be serving rear extensions, while Meetanshi confirmed that she was raped but denied having undergone an extension compromise.
Finally, the MGs did not even respond to requests for Sansec, even if Bleeping Compompute confirmed the stolen door in at least one extension that is currently offered, on the company’s website.
If you run a Magento store with one of the above -mentioned extensions, you must act immediately and secure your assets.
Via Bleeping Compompute
