Up to 1,000 e-commerce websites, one of which is tied to a $40 billion global company, have been compromised in a supply chain intrusion involving 21 Magento extensions injected with a backdoor that was only activated last month after six years of dormancy, BleepingComputer reports.
According to security firm Sansec, the backdoor, inserted as far back as 2019, was embedded in license check files of extensions from Tigren, Meetanshi, and MGS, but only executed in April 2025. When triggered, it allows remote code execution via PHP, potentially enabling admin account creation, data theft, and skimmer deployment. While Meetanshi acknowledged a server breach, it denied its extensions were affected; MGS did not respond, and Tigren denied any breach and continues distributing the flagged software. BleepingComputer verified at least one infected file on MGS's site. Sansec warns that the backdoor, previously unauthenticated, now uses hardcoded keys and has already been used to install a webshell. They advise users to scan servers and restore from clean backups. Sansec called the delayed activation of the malware "peculiar" and continues investigating.
According to security firm Sansec, the backdoor, inserted as far back as 2019, was embedded in license check files of extensions from Tigren, Meetanshi, and MGS, but only executed in April 2025. When triggered, it allows remote code execution via PHP, potentially enabling admin account creation, data theft, and skimmer deployment. While Meetanshi acknowledged a server breach, it denied its extensions were affected; MGS did not respond, and Tigren denied any breach and continues distributing the flagged software. BleepingComputer verified at least one infected file on MGS's site. Sansec warns that the backdoor, previously unauthenticated, now uses hardcoded keys and has already been used to install a webshell. They advise users to scan servers and restore from clean backups. Sansec called the delayed activation of the malware "peculiar" and continues investigating.
