BEWARE OF PICKPOCKETS AND HACKED SITES Hundreds of e-commerce sites hacked in supply-chain attack Attack that started in April and remains ongoing runs malicious code on visitors' devices. Dan Goodin – May 5, 2025 3:05 pm | 7 Credit: Getty Images Credit: Getty Images Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Hundreds of e-commerce sites, at least one owned by a large multinational company, were backdoored by malware that executes malicious code inside the browsers of visitors, where it can steal payment card information and other sensitive data, security researchers said Monday. The infections are the result of a supply-chain attack that compromised at least three software providers with malware that remained dormant for six years and became active only in the last few weeks. At least 500 e-commerce sites that rely on the backdoored software were infected, and it’s possible that the true number is double that, researchers from security firm Sansec said. Among the compromised customers was a $40 billion multinational company, which Sansec didn’t name. In an email Monday, a Sansec representative said that “global remediation [on the infected customers] remains limited.” Code execution on visitors’ machines The supply chain attack poses a significant risk to the thousands or millions of people visiting the infected sites, because it allows attackers to execute code of their choice on ecommerce site servers. From there, the servers run info-stealing code on visitor machines. “Since the backdoor allows uploading and executing arbitrary PHP code, the attackers have full remote code execution (RCE) and can do essentially anything they want,” the representative wrote. “In nearly all Adobe Commerce/Magento breaches we observe, the backdoor is then used to inject skimming software that runs in the user's browser and steals payment information (Magecart).” The three software suppliers identified by Sansec were Tigren, Magesolution (MGS), and Meetanshi. All three supply software that’s based on Magento, an open source e-commerce platform used by thousands of online stores. A software version sold by a fourth provider named Weltpixel has been infected with similar code on some of its customers' stores, but Sansec so far has been unable to confirm whether it was the stores or Weltpixel that were hacked. Adobe has owned Megento since 2018. The Sansec representative said that as of Monday, both Tigren and Magesolution continued to distribute backdoored versions of their software to customers. Meetanshi, the representative added, has denied “any tampering but admits to being hacked.” Tigren, Magesolution, and Meetanshi didn’t respond to questions sent by email and contact forms on their sites. Attempts to reach Weltpixel were unsuccessful. Sansec said that any e-commerce site that relies on software from one of the vendors should carefully inspect their platforms for signs of infection. One of the easiest ways to spot the malicious code is looking for a function added to it that executes a file named $licenseFile as PHP code. protected function adminLoadLicense($licenseFile) { // ... $data = include_once($licenseFile); // ... } The backdoor code checks for a secret key in incoming Web requests and when presented gives the key holder the ability to run commands on the e-commerce server. Once $licenseFile runs, it initiates a chain of additional functions that eventually execute malicious PHP code on the machines of site visitors. Sansec’s post, linked above, provides additional details admins can use to determine if they’re infected. In all, Sansec identified 21 extensions from the three providers that have been infected. They are: Vendor Package Tigren Ajaxsuite Tigren Ajaxcart Tigren Ajaxlogin Tigren Ajaxcompare Tigren Ajaxwishlist Tigren MultiCOD Meetanshi ImageClean Meetanshi CookieNotice Meetanshi Flatshipping Meetanshi FacebookChat Meetanshi CurrencySwitcher Meetanshi DeferJS MGS Lookbook MGS StoreLocator MGS Brand MGS GDPR MGS Portfolio MGS Popup MGS DeliveryTime MGS ProductTabs MGS Blog One of the biggest mysteries surrounding Sansec’s discovery is how the malware that kicked off the supply-chain attack managed to remain dormant and undetected for six years before coming to life. These sorts of delayed backdoors are a rarity. Sansec said it’s still investigating. Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 7 Comments