A coordinated supply chain attack has compromised between 500 and 1,000 e-commerce websites by exploiting vulnerabilities in 21 Magento extensions from vendors Tigren, Meetanshi, and Magesolution (MGS). Security firm Sansec discovered that attackers had injected backdoors into these extensions as early as 2019, with the malicious code remaining dormant until activated in April 2025. The backdoor allows remote code execution, enabling attackers to upload and execute arbitrary PHP code on affected servers.
The compromised extensions include Tigren’s Ajaxsuite, Ajaxcart, and MultiCOD; Meetanshi’s CookieNotice, CurrencySwitcher, and DeferJS; and MGS’s Lookbook, StoreLocator, and GDPR modules.
The backdoor operates through a malicious ‘license check’ in files named License.php or LicenseApi.php, which execute attacker-controlled code via functions like adminLoadLicense. Earlier versions required no authentication, while later versions used hardcoded keys for access.
Sansec advises merchants using these extensions to audit their installations immediately. Affected files should be removed, and servers should be scanned for additional malware. Restoring from clean backups is recommended to ensure system integrity.
This incident is just another in a series that underscores the importance of supply chain security and the need for vigilant monitoring of third-party software components.
For additional information, you can go to https://sansec.io/research/license-backdoor
