A supply chain attack on Magento extensions has infected at least 500 e-commerce sites with malware that actively steals sensitive data from visitors. The attack remains ongoing and poses a risk to both merchants and consumers.
Researchers from Sansec discovered that the attack affected at least three software providers: Tigren, Magesolution (MGS), and Meetanshi. The attack added malicious code to 21 popular Magento extensions.
Notably, the malware was introduced in some cases as early as 2019 but only became active in April 2025, according to ArsTechnica. The code was placed via a hidden backdoor in the extensions and executes PHP code on the e-commerce sites’ servers. Subsequently, skimming software is installed in visitors’ browsers to steal payment details and other sensitive information.
read also
CrowdStrike: ‘Cyber attacks by 2024 faster, smarter and more often without malware’
According to Sansec, an e-commerce platform of a multinational company worth $40 billion has also been affected, although the company’s name is not disclosed. In total, between 500 and 1,000 webshops worldwide are believed to be infected.
Distribution of infected extensions continues
The malware exploits a PHP function present in license control scripts of the affected extensions. The function checks for specific HTTP requests with secret parameters. If these are correct, attackers can upload and execute their own code on the server. This grants them full access to the system and allows them, for example, to inject skimmers or create administrator accounts.
Sansec states that Tigren and Magesolution (MGS) are still distributing infected versions of their software. Meetanshi acknowledges a server breach but denies that the extensions themselves were modified. Weltpixel is also mentioned, but the exact source of the infection remains unclear for them.
| VENDOR | PACKAGE |
| Tigren | Ajaxsuite |
| Tigren | Ajaxcart |
| Tigren | Ajaxlogin |
| Tigren | Ajaxcompare |
| Tigren | Ajaxwishlist |
| Tigren | MultiCOD |
| Meetanshi | ImageClean |
| Meetanshi | CookieNotice |
| Meetanshi | Flatshipping |
| Meetanshi | FacebookChat |
| Meetanshi | CurrencySwitcher |
| Meetanshi | DeferJS |
| MGS | Lookbook |
| MGS | StoreLocator |
| MGS | Brand |
| MGS | GDPR |
| MGS | Portfolio |
| MGS | Popup |
| MGS | DeliveryTime |
| MGS | ProductTabs |
| MGS | Blog |
Administrators of webshops that depend on extensions from Tigren, MGS, or Meetanshi are advised to thoroughly check their systems for traces of the backdoor. Sansec specifically mentions a PHP function where a file named $licenseFile is loaded as an indicator of compromise.
The full list of infected extensions can be found above. Sansec continues to investigate the incident. The most peculiar aspect: how did the malware manage to remain undetected for years? Read all our security articles on ITdaily here.