MGS Magento extensions shipped license backdoors

MGS, also listed as Magesolution, was one of the Magento extension vendors in Sansec's 2025 license-backdoor findings. The supply-chain issue was vendor-side: affected ZIP packages were distributed through the vendor's own download path, not added later through a compromised store admin panel.

The backdoor hid in code that looked like licensing infrastructure. Sansec reported fake License.php or LicenseApi.php files loaded from registration.php, with license helper functions that could execute attacker-controlled PHP. That placement gave the implant a plausible name and a reason to sit inside commercial extension packages.

MGS is modeled separately because its packages and distribution site were a distinct trust boundary. Sansec reported MGS Lookbook, StoreLocator, Brand, GDPR, Portfolio, Popup, DeliveryTime, ProductTabs, and Blog among the affected package set, and noted that MGS had not responded while backdoored packages remained available on April 30, 2025.

This page carries the MGS-specific evidence for inventory and cleanup. The parent campaign record explains the broader cross-vendor pattern, long dwell time from 2019-era packages, and Sansec's estimate that hundreds to a thousand Magento stores were running affected software.

Motive

Remote Access

Cause

Vendor Server Compromise

Transitive

No

User Impact

1000

• Magento supply chain attack compromises hundreds of e-storesbleepingcomputer.com
• Backdoor found in popular ecommerce componentssansec.io
• Sansec uncovered a supply chain attack via 21 backdoored Magento extensionssecurityaffairs.com
• Backdoor Activates in Magento Supply Chain Attack Impacting 1000 Storescyberinsider.com
• Hundreds of e-commerce sites hacked in supply-chain attackarstechnica.com