One of the most sophisticated and long-running malware campaigns in recent years has just come to light. The security team at Sansec he discovered a backdoor hidden for over six years within 21 extensions of Magento, an e-commerce platform widely used around the world. According to researchers, the activation of the malicious code occurred only recently, allowing hackers to take full control of compromised servers.
The origin of the threat: a supply chain attack
The attack involved several extensions distributed by well-known names in the Magento community: Tigren, Meetanshi and MGS (Magesolution). Also a version of the extension World Pixel GoogleTagManager was found to be infected, although it was not possible to determine whether the compromise occurred on the supplier or end-customer side.
The peculiarity of this attack is that The malware was already present in the code since 2019, but remained inactive until May 2025. A true sleeping Trojan that, once activated, allowed cybercriminals to distribute web shells, steal data, create administrative accounts and inject credit card skimmers.
How the backdoor works
Backdoor detected in files License.php or LicenseApi.php, normally used to verify extension licenses. Inside them, researchers found obfuscated PHP code which checked specific HTTP parameters (requestKey is dataSign). If the values matched hardcoded keys, it was activated a mechanism that allowed remote execution of PHP code through include_once().
The latest versions of the backdoor have been improved with Authentication keys, making access safer for the attacker and less detectable for automatic scanning tools.
Suppliers under accusation
Sansec attempted to contact the suppliers involved:
-
MGS: no response.
-
Tiger: denied the compromise and continued to distribute the infected extensions.
-
Meetanshi: admitted to a server breach, but denied compromising the extensions' code.
This reticence on the part of vendors further highlights the need for Transparency and accountability in the software supply chain.
Recommendations for Magento Users
Sansec strongly recommends all users who use extensions from the mentioned providers to:
-
Run a full server scan to detect any anomalies.
-
Check License.php and LicenseApi.php files for suspicious code.
-
Restore from clean backups, where possible.
-
Monitor HTTP requests incoming for any suspicious patterns related to the parameters
requestKeyisdataSign.
One of the victims: a multinational worth 40 billion dollars hit
According to sources close to the investigation, One of the victims of the attack is believed to be a multinational with a turnover of 40 billion dollars. This confirms the global reach and potentially devastating impact of a supply chain attack, even if planned years in advance.
This discovery represents a wake-up call for the entire Magento ecosystem and for all platforms that rely on third-party extensions. Such an attack demonstrates how dangerous an upstream compromise can be, especially if orchestrated with surgical precision and long latency times.
Sansec will continue to investigate the backdoor and promises further updates. In the meantime, the lesson is clear: Supply chain security should never be underestimated.
