Meetanshi Magento extensions shipped license backdoors

Meetanshi was one of three Magento extension vendors Sansec named in its 2025 license-backdoor report. The affected artifacts were not random store infections; they were vendor-distributed extension ZIPs that customers could download and install as normal commercial software.

The inserted PHP posed as licensing code. Sansec reported fake License.php or LicenseApi.php paths loaded from extension registration code, with functions such as adminLoadLicense and adminUploadLicense able to execute attacker-controlled license content on the store.

Meetanshi is modeled separately from Tigren and MGS because its download site, package portfolio, and response were a distinct distribution boundary. Sansec reported that Meetanshi confirmed its server had been hacked while disputing that its software packages had been tampered with.

The operational risk was long dwell time. The campaign record carries the cross-vendor pattern and Sansec's estimate that hundreds to a thousand stores were running affected software; this page preserves the Meetanshi package names, download evidence, file indicators, and vendor-specific cleanup surface.

Motive

Remote Access

Cause

Vendor Server Compromise

Transitive

No

User Impact

1000

• Magento supply chain attack compromises hundreds of e-storesbleepingcomputer.com
• Backdoor found in popular ecommerce componentssansec.io
• Sansec uncovered a supply chain attack via 21 backdoored Magento extensionssecurityaffairs.com
• Backdoor Activates in Magento Supply Chain Attack Impacting 1000 Storescyberinsider.com
• Hundreds of e-commerce sites hacked in supply-chain attackarstechnica.com