Magento extension vendors shipped license backdoors
Tigren, Meetanshi, and MGS extension downloads carried PHP license-check backdoors. Sansec found 21 affected Magento modules, with abuse active by April 2025.
Story
This is not a generic Magento backdoor record. Magento is an ecosystem, and most Magento malware reaches stores through stolen admin credentials, old vulnerabilities, uploaded webshells, or injected checkout JavaScript. This record is narrower: Sansec found vendor-distributed extension packages that already carried the same PHP backdoor.
The confirmed supply-chain scope covered Tigren, Meetanshi, and Magesolution (MGS). Sansec identified 21 affected modules published between 2019 and 2022, and reported that the vendor download servers had been breached. A Weltpixel GoogleTagManager package looked suspicious too, but Sansec could not establish where it had been altered.
The inserted code posed as license logic. A fake License.php or LicenseApi.php file was loaded from registration.php, and adminLoadLicense executed attacker-controlled $licenseFile content as PHP. Older 2019 variants did not require authentication; later variants added vendor-specific keys such as requestKey and dataSign checks.
The code stayed quiet for years. Sansec reported active use since at least 2025-04-20 and estimated that 500 to 1,000 stores were running affected software, including one large multinational. Vendor response was uneven: Meetanshi confirmed a server hack while disputing package tampering, Tigren denied compromise, and MGS did not respond.
Linked Attacks
2019
Tigren extension downloads were part of the Magento license-backdoor campaign reported by Sansec. The affected vendor packages carried PHP backdoor code in license-check paths.
Meetanshi extension downloads were part of the Magento license-backdoor campaign reported by Sansec. The affected vendor packages carried PHP backdoor code in license-check paths.
MGS extension downloads were part of the Magento license-backdoor campaign reported by Sansec. The affected vendor packages carried PHP backdoor code in license-check paths.
Campaign Context
- Cause
- Unknown
- User Impact
- 1000
Affected Packages
Notes
- The users value records Sansec's upper estimate of stores running affected software, not individual shoppers or confirmed data-theft victims.
- FishPig's 2022 Magento extension compromise is tracked separately because it involved a different vendor, payload, and date window.
- PolyShell, Xurum, MagnetoCore, and generic Magento webshell reports describe post-install exploitation or store compromise. They are related Magento ecosystem activity, but not modeled here as vendor-distributed poisoned artifacts.
- Tigren, Meetanshi, and MGS are modeled as separate attacks because each vendor download path is a separate trust boundary.
- Weltpixel remains campaign context because the reporting treated it as suspicious but did not confirm where the package was altered.
External References
- Magento supply chain attack compromises hundreds of e-storesbleepingcomputer.com
- Backdoor found in popular ecommerce componentssansec.io
- Sansec uncovered a supply chain attack via 21 backdoored Magento extensionssecurityaffairs.com
- Backdoor Activates in Magento Supply Chain Attack Impacting 1000 Storescyberinsider.com
- Hundreds of e-commerce sites hacked in supply-chain attackarstechnica.com
Source record: proprietary/campaigns/magento-license-backdoor-2025/meta.yaml