Massive E-commerce Supply Chain Attack Uncovered: Hundreds of Stores at Risk

The Sansec Forensics Team has uncovered a coordinated supply chain attack that has silently infected ecommerce infrastructure worldwide. According to the report, 21 ecommerce software components from prominent vendors were found to contain a stealthy backdoor, potentially compromising between 500 and 1,000 stores, including a $40 billion multinational retailer.

“Curiously, the malware was injected 6 years ago, but came to life this week as attackers took full control of ecommerce servers,” Sansec revealed.

The attackers breached the download servers of well-known ecommerce vendors, including Tigren, Magesolution (MGS), and Meetanshi, injecting backdoors directly into their software packages. The affected extensions span critical ecommerce features like carts, logins, wishlists, shipping, chat, currency handling, and GDPR compliance.

“This hack is called a Supply Chain Attack, which is one of the worst types,” Sansec emphasized. “By hacking these vendors, the attacker gained access to all of their customers’ stores. And by proxy, to all of the customers that visit these stores.”

The malware has been actively exploited since at least April 20th, and includes components designed to execute arbitrary code on victim servers by simulating a legitimate licensing check.

The backdoor, hidden within files like License.php or LicenseApi.php, is triggered through Magento’s module registration system. The malicious code centers on the adminLoadLicense function, which executes a PHP file controlled by the attacker:

protected function adminLoadLicense($licenseFile)
{
    // ...
    $data = include_once($licenseFile);
    // ...
}

In older versions of the software, no authentication is required to execute this backdoor. Newer variants include a hardcoded secret key, but even this is not a secure barrier.

Each vendor-specific package contains unique identifiers, including a SECURE_KEY, SIGN_KEY, and module-specific paths. For example:

• Meetanshi License Filename: mtn-license
• MGS License Filename: mgs-license
• Tigren License Filename: apj-license

Affected Extensions Include:

Tigren:

• Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxwishlist, MultiCOD

Meetanshi:

• CookieNotice, Flatshipping, FacebookChat, CurrencySwitcher, DeferJS

MGS (Magesolution):

• Lookbook, Blog, Portfolio, StoreLocator, GDPR

Also Found:
A tampered version of the Weltpixel GoogleTagManager extension, though it remains unclear whether Weltpixel itself was breached.

The vendors’ responses have been mixed and troubling:

• Magesolution (MGS): No response; backdoored packages still available as of April 30th.
• Tigren: Denies being hacked, but tainted files remain downloadable.
• Meetanshi: Claims their software was not tampered with, but confirmed their server was breached.

“If you use software from these vendors, you should check your store now,” Sansec urges.

Related Posts:

• India plans to require e-commerce, social media companies such as Google Facebook to store data locally
• Python Developers Targeted in Massive Supply Chain Attack; Over 170,000 Users Affected
• SEO Poisoning: Unmasking the Malware Networks Behind Fake E-Commerce