Tigren Magento extensions shipped license backdoors

Tigren was one of the vendor download paths Sansec tied to the 2025 Magento license-backdoor campaign. The affected artifacts were commercial Magento extension ZIPs, which made the incident a supply-chain problem rather than a normal post-install store compromise.

The malicious code wore the shape of licensing logic. Sansec reported fake License.php code loaded from registration.php, with functions such as adminLoadLicense and adminUploadLicense that could execute attacker-controlled PHP. In Tigren's case, the observable license marker was apj-license.

Tigren is modeled separately from Meetanshi and MGS because its package portfolio and vendor download site were their own trust boundary. Sansec named Tigren Ajaxsuite, Ajaxcart, Ajaxlogin, Ajaxcompare, Ajaxwishlist, and MultiCOD in the affected set, and reported that Tigren denied compromise while backdoored packages were still available from its site on April 30, 2025.

This page preserves the Tigren-specific package and indicator evidence. The parent [[magento-license-backdoor-2025]] record carries the shared license-backdoor pattern, years-long dwell time, and cross-vendor exposure estimate.

Motive

Remote Access

Cause

Vendor Server Compromise

Transitive

No

User Impact

1000

• Magento supply chain attack compromises hundreds of e-storesbleepingcomputer.com
• Backdoor found in popular ecommerce componentssansec.io
• Sansec uncovered a supply chain attack via 21 backdoored Magento extensionssecurityaffairs.com
• Backdoor Activates in Magento Supply Chain Attack Impacting 1000 Storescyberinsider.com
• Hundreds of e-commerce sites hacked in supply-chain attackarstechnica.com