Skip to content
BEWARE OF PICKPOCKETS AND HACKED SITES

Hundreds of e-commerce sites hacked in supply-chain attack

Attack that started in April and remains ongoing runs malicious code on visitors’ devices.

Dan Goodin | 55
Stylized image of rows of padlocks.
Credit: Getty Images
Credit: Getty Images
Story text

Hundreds of e-commerce sites, at least one owned by a large multinational company, were backdoored by malware that executes malicious code inside the browsers of visitors, where it can steal payment card information and other sensitive data, security researchers said Monday.

The infections are the result of a supply-chain attack that compromised at least three software providers with malware that remained dormant for six years and became active only in the last few weeks. At least 500 e-commerce sites that rely on the backdoored software were infected, and it’s possible that the true number is double that, researchers from security firm Sansec said.

Among the compromised customers was a $40 billion multinational company, which Sansec didn’t name. In an email Monday, a Sansec representative said that “global remediation [on the infected customers] remains limited.”

Code execution on visitors’ machines

The supply chain attack poses a significant risk to the thousands or millions of people visiting the infected sites, because it allows attackers to execute code of their choice on ecommerce site servers. From there, the servers run info-stealing code on visitor machines.

“Since the backdoor allows uploading and executing arbitrary PHP code, the attackers have full remote code execution (RCE) and can do essentially anything they want,” the representative wrote. “In nearly all Adobe Commerce/Magento breaches we observe, the backdoor is then used to inject skimming software that runs in the user’s browser and steals payment information (Magecart).”

The three software suppliers identified by Sansec were Tigren, Magesolution (MGS), and Meetanshi. All three supply software that’s based on Magento, an open source e-commerce platform used by thousands of online stores. A software version sold by a fourth provider named Weltpixel has been infected with similar code on some of its customers’ stores, but Sansec so far has been unable to confirm whether it was the stores or Weltpixel that were hacked. Adobe has owned Megento since 2018.

The Sansec representative said that as of Monday, both Tigren and Magesolution continued to distribute backdoored versions of their software to customers. Meetanshi, the representative added, has denied “any tampering but admits to being hacked.” Tigren, Magesolution, and Meetanshi didn’t respond to questions sent by email and contact forms on their sites. Attempts to reach Weltpixel were unsuccessful.

Sansec said that any e-commerce site that relies on software from one of the vendors should carefully inspect their platforms for signs of infection. One of the easiest ways to spot the malicious code is looking for a function added to it that executes a file named $licenseFile as PHP code.

protected function adminLoadLicense($licenseFile)
{
	// ...
	$data = include_once($licenseFile);
	// ...
}

The backdoor code checks for a secret key in incoming Web requests and when presented gives the key holder the ability to run commands on the e-commerce server.

Once $licenseFile runs, it initiates a chain of additional functions that eventually execute malicious PHP code on the machines of site visitors. Sansec’s post, linked above, provides additional details admins can use to determine if they’re infected.

In all, Sansec identified 21 extensions from the three providers that have been infected. They are:

Vendor Package
Tigren Ajaxsuite
Tigren Ajaxcart
Tigren Ajaxlogin
Tigren Ajaxcompare
Tigren Ajaxwishlist
Tigren MultiCOD
Meetanshi ImageClean
Meetanshi CookieNotice
Meetanshi Flatshipping
Meetanshi FacebookChat
Meetanshi CurrencySwitcher
Meetanshi DeferJS
MGS Lookbook
MGS StoreLocator
MGS Brand
MGS GDPR
MGS Portfolio
MGS Popup
MGS DeliveryTime
MGS ProductTabs
MGS Blog

One of the biggest mysteries surrounding Sansec’s discovery is how the malware that kicked off the supply-chain attack managed to remain dormant and undetected for six years before coming to life. These sorts of delayed backdoors are a rarity. Sansec said it’s still investigating.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
55 Comments
Staff Picks
L
Lunakki
For those asking how to protect yourself: If you're using a credit card, then the worst that will happen is you'll need to dispute some charges and get a new card. It's annoying, but you won't be out any money. You could have a separate card for recurring bills to limit the annoyance of replacing one you use online.

Do not ever use your debit card online (or anywhere else if you can help it). You'll likely be able to get the charges reversed eventually, but you'll be out your own cash in the meantime, and the bank is less likely to care because it's not their money.

Stores (both online and brick-and-mortar) have data breaches constantly, so the only way to protect yourself is to not give them access to your money. Review your statements monthly to make sure the credit card hasn't been compromised, and report anything suspicious promptly. I've had a credit card stolen that I used exactly once for gas, at a station I went to frequently. Nothing and nowhere is safe. Use a credit card instead of a debit card, and it becomes mostly the bank's problem.
Prev story
Next story