{"id":34155,"date":"2025-05-28T05:46:04","date_gmt":"2025-05-28T05:46:04","guid":{"rendered":"https:\/\/www.digife.it\/?p=34155"},"modified":"2025-05-28T05:46:04","modified_gmt":"2025-05-28T05:46:04","slug":"backdoor-active-after-six-years-supply-chain-attack-compromises-over-1000-magento-based-e-commerce-sites","status":"publish","type":"post","link":"https:\/\/www.digife.it\/en\/backdoor-active-after-six-years-supply-chain-attack-compromises-over-1000-magento-based-e-commerce-sites\/","title":{"rendered":"Backdoor Active After Six Years: Supply Chain Attack Compromises Over 1,000 Magento-Based E-Commerce Sites"},"content":{"rendered":"<p data-start=\"341\" data-end=\"802\">One of the most sophisticated and long-running malware campaigns in recent years has just come to light. The security team at <strong data-start=\"463\" data-end=\"473\">Sansec<\/strong> he discovered a <strong data-start=\"490\" data-end=\"530\">backdoor hidden for over six years<\/strong> within 21 extensions of Magento, an e-commerce platform widely used around the world. According to researchers, the activation of the malicious code occurred only recently, allowing hackers to take <strong data-start=\"759\" data-end=\"801\">full control of compromised servers<\/strong>.<\/p>\n<h3 data-start=\"804\" data-end=\"869\"><strong data-start=\"811\" data-end=\"869\">The origin of the threat: a supply chain attack<\/strong><\/h3>\n<p data-start=\"871\" data-end=\"1204\">The attack involved several extensions distributed by well-known names in the Magento community: <strong data-start=\"963\" data-end=\"1005\">Tigren, Meetanshi and MGS (Magesolution)<\/strong>. Also a version of the extension <strong data-start=\"1042\" data-end=\"1072\">World Pixel GoogleTagManager<\/strong> was found to be infected, although it was not possible to determine whether the compromise occurred on the supplier or end-customer side.<\/p>\n<p data-start=\"1206\" data-end=\"1567\">The peculiarity of this attack is that <strong data-start=\"1247\" data-end=\"1298\">The malware was already present in the code since 2019<\/strong>, but remained inactive until May 2025. A true sleeping Trojan that, once activated, allowed cybercriminals to distribute web shells, steal data, create administrative accounts and inject credit card skimmers.<\/p>\n<hr data-start=\"1569\" data-end=\"1572\" \/>\n<h3 data-start=\"1574\" data-end=\"1610\"><strong data-start=\"1581\" data-end=\"1610\">How the backdoor works<\/strong><\/h3>\n<p data-start=\"1612\" data-end=\"2057\">Backdoor detected in files <code data-start=\"1650\" data-end=\"1663\">License.php<\/code> or <code data-start=\"1666\" data-end=\"1682\">LicenseApi.php<\/code>, normally used to verify extension licenses. Inside them, researchers found <strong data-start=\"1800\" data-end=\"1824\">obfuscated PHP code<\/strong> which checked specific HTTP parameters (<code data-start=\"1867\" data-end=\"1879\">requestKey<\/code> is <code data-start=\"1882\" data-end=\"1892\">dataSign<\/code>). If the values matched hardcoded keys, it was activated <strong data-start=\"1965\" data-end=\"2031\">a mechanism that allowed remote execution of PHP code<\/strong> through <code data-start=\"2040\" data-end=\"2056\">include_once()<\/code>.<\/p>\n<p data-start=\"2059\" data-end=\"2261\">The latest versions of the backdoor have been improved with <strong data-start=\"2124\" data-end=\"2152\">Authentication keys<\/strong>, making access safer for the attacker and less detectable for automatic scanning tools.<\/p>\n<hr data-start=\"2263\" data-end=\"2266\" \/>\n<h3 data-start=\"2268\" data-end=\"2301\"><strong data-start=\"2275\" data-end=\"2301\">Suppliers under accusation<\/strong><\/h3>\n<p data-start=\"2303\" data-end=\"2357\">Sansec attempted to contact the suppliers involved:<\/p>\n<ul data-start=\"2359\" data-end=\"2597\">\n<li data-start=\"2359\" data-end=\"2387\">\n<p data-start=\"2361\" data-end=\"2387\"><strong data-start=\"2361\" data-end=\"2368\">MGS<\/strong>: no response.<\/p>\n<\/li>\n<li data-start=\"2388\" data-end=\"2482\">\n<p data-start=\"2390\" data-end=\"2482\"><strong data-start=\"2390\" data-end=\"2400\">Tiger<\/strong>: denied the compromise and continued to distribute the infected extensions.<\/p>\n<\/li>\n<li data-start=\"2483\" data-end=\"2597\">\n<p data-start=\"2485\" data-end=\"2597\"><strong data-start=\"2485\" data-end=\"2498\">Meetanshi<\/strong>: admitted to a server breach, but denied compromising the extensions&#039; code.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2599\" data-end=\"2745\">This reticence on the part of vendors further highlights the need for <strong data-start=\"2680\" data-end=\"2744\">Transparency and accountability in the software supply chain<\/strong>.<\/p>\n<hr data-start=\"2747\" data-end=\"2750\" \/>\n<h3 data-start=\"2752\" data-end=\"2801\"><strong data-start=\"2759\" data-end=\"2801\">Recommendations for Magento Users<\/strong><\/h3>\n<p data-start=\"2803\" data-end=\"2900\">Sansec strongly recommends all users who use extensions from the mentioned providers to:<\/p>\n<ul data-start=\"2902\" data-end=\"3238\">\n<li data-start=\"2902\" data-end=\"2983\">\n<p data-start=\"2904\" data-end=\"2983\"><strong data-start=\"2904\" data-end=\"2950\">Run a full server scan<\/strong> to detect any anomalies.<\/p>\n<\/li>\n<li data-start=\"2984\" data-end=\"3058\">\n<p data-start=\"2986\" data-end=\"3058\"><strong data-start=\"2986\" data-end=\"3037\">Check License.php and LicenseApi.php files<\/strong> for suspicious code.<\/p>\n<\/li>\n<li data-start=\"3059\" data-end=\"3114\">\n<p data-start=\"3061\" data-end=\"3114\"><strong data-start=\"3061\" data-end=\"3094\">Restore from clean backups<\/strong>, where possible.<\/p>\n<\/li>\n<li data-start=\"3115\" data-end=\"3238\">\n<p data-start=\"3117\" data-end=\"3238\"><strong data-start=\"3117\" data-end=\"3149\">Monitor HTTP requests<\/strong> incoming for any suspicious patterns related to the parameters <code data-start=\"3212\" data-end=\"3224\">requestKey<\/code> is <code data-start=\"3227\" data-end=\"3237\">dataSign<\/code>.<\/p>\n<\/li>\n<\/ul>\n<hr data-start=\"3240\" data-end=\"3243\" \/>\n<h3 data-start=\"3245\" data-end=\"3327\"><strong data-start=\"3252\" data-end=\"3327\">One of the victims: a multinational worth 40 billion dollars hit<\/strong><\/h3>\n<p data-start=\"3329\" data-end=\"3605\">According to sources close to the investigation, <strong data-start=\"3364\" data-end=\"3468\">One of the victims of the attack is believed to be a multinational with a turnover of 40 billion dollars<\/strong>. This confirms the global reach and potentially devastating impact of a supply chain attack, even if planned years in advance.<\/p>\n<p data-start=\"3636\" data-end=\"3969\">This discovery represents <strong data-start=\"3664\" data-end=\"3795\">a wake-up call for the entire Magento ecosystem and for all platforms that rely on third-party extensions.<\/strong> Such an attack demonstrates how dangerous an upstream compromise can be, especially if orchestrated with surgical precision and long latency times.<\/p>\n<p data-start=\"3971\" data-end=\"4154\"><strong data-start=\"3971\" data-end=\"3981\">Sansec<\/strong> will continue to investigate the backdoor and promises further updates. In the meantime, the lesson is clear: <strong data-start=\"4091\" data-end=\"4153\">Supply chain security should never be underestimated<\/strong>.<\/p>","protected":false},"excerpt":{"rendered":"<p>One of the most sophisticated and long-running malware campaigns in recent years has just come to light. The Sansec security team discovered a backdoor hidden for over six\u2026<\/p>","protected":false},"author":4,"featured_media":34156,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-34155","post","type-post","status-publish","format-standard","has-post-thumbnail","category-curiosita-web"],"_links":{"self":[{"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/posts\/34155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/comments?post=34155"}],"version-history":[{"count":0,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/posts\/34155\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/media\/34156"}],"wp:attachment":[{"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/media?parent=34155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/categories?post=34155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.digife.it\/en\/wp-json\/wp\/v2\/tags?post=34155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}