Magento Extensions
Magento extensions backdoored in coordinated supply chain attack.
Servers of multiple Magento extension vendors (including Tigren, Meetanshi, MGS) were compromised. Attackers injected PHP backdoors into at least 21 popular commercial extensions. The backdoors, some dormant for years but activated in 2025, allowed remote code execution on e-commerce stores using the compromised extensions.
- Date
- 2019-01-01 to 2025-04-20
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Vendor server compromise
What Was Affected
Package
Magento Extensions
ComponentLibrary
Artifact typesource archive
Domain typeproject download host
Domain
Multiple vendor websites
Compromised Versions
- Multiple versions of 21+ extensions from vendors Tigren, Meetanshi, MGS, potentially Weltpixel
Incident Context
- Motive
- Remote access
- Transitive
- No
- User Impact
- 1000
- Observed Duration
- 2301 days
Evidence
Compromised Artifacts
- tigren.com/m2/extensions/tigren-ajax-cart.zip
- meetanshi.com/media/downloads/Meetanshi_SocialLogin-2.0.5.zip
- magesolution.com/downloads/MGS_Fbuilder_v2.2.1.zip
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:e8edc2b931eb5b24a6fdc705add5685ab88e268d7c5179cb42c235a8192b10c1md5:c8ed5ee17d5c95dbe8a9c3c73dc7043c
External References
Source Data
Source record: proprietary/magneto/meta.yaml