Threat Research

Since 2015, Sansec tracks how attackers steal payment data from online stores. We find new skimmers, reverse-engineer malware, and share what we learn so merchants can act before damage is done.

Over 200 PrestaShop stores expose installer, allowing full takeover

Apr 14th • Sansec found over 200 live PrestaShop stores with their install directory publicly accessible. An attacker can overwrite the database configuration, gain admin access, and execute arbitrary code on the server.

prestashop rce misconfiguration

ClickFix malware hits DoD cybersecurity vendor homepage

Apr 10th • Sansec found a ClickFix clipboard hijacker on the homepage of a US government & military cybersecurity vendor. The same was found at a global restaurant chain the day before.

wordpress clickfix clipboard-hijacker

2026

SVG Onload Tag Hides Magecart Skimmer on 99 Stores

Apr 7th • Sansec discovered a large-scale Magecart campaign using invisible SVG elements to inject a fake checkout overlay on 99 Magento stores, exfiltrating payment data to six attacker-controlled domains.

magecart magento web-skimming +1

Mass PolyShell attack wave hits 471 stores in one hour

Mar 30th • Sansec detected 471 stores compromised in a single hour as attackers exploit the PolyShell vulnerability at scale. The attack injects obfuscated JavaScript from the freshly registered domain lanhd6...

magecart magento adobe-commerce +2

Novel WebRTC skimmer bypasses security controls at $100+ billion car maker

Mar 24th • Sansec discovered a payment skimmer that uses WebRTC DataChannels to receive its payload and exfiltrate stolen data, bypassing CSP and HTTP-based security tools.

magecart web-skimming webrtc +2

PolyShell: unrestricted file upload in Magento and Adobe Commerce

Mar 17th • PolyShell lets attackers upload executable files to any Magento or Adobe Commerce store via the REST API. Sansec has now observed attacks on 79.5% of all stores. No official patch exists for produc...

magento adobe-commerce rce +3

Digital skimmer hits global supermarket chain

Feb 20th • Sansec discovered a payment skimmer on the online store of a top-10 global supermarket chain. Despite repeated attempts to alert the company, the skimmer is still in place after 4 days.

magecart web-skimming prestashop +2

Building a faster YARA engine in pure Go

Feb 18th • We built a pure Go YARA engine that's 6.8x faster for text-based scanning, with no C dependencies. It now processes over 57,000 scans per day in production, and we're open-sourcing it today.

ecomscan open-source

Magento Developers Impersonated in Targeted GitHub Malware Operation

Feb 11th • Criminals are targeting Magento developers with fake GitHub repositories that deliver RAT and keylogger malware to Windows users.

magento supply-chain-attack malware

Claude finds 353 zero-days on Packagist

Jan 22nd • We built an AI-powered security pipeline to audit popular ecommerce extensions on Packagist. The vulnerabilities we found range from password leaks to full remote code execution.

magento adobe-commerce supply-chain-attack +1

The billion-dollar security.txt problem

Jan 16th • When Sansec found a keylogger on a major US bank employee site, the hardest part wasn't detecting the malware. It was finding someone to tell.

security-txt disclosure ecommerce-security

Keylogger targets 200,000+ employees at major US bank

Jan 15th • Sansec discovered an active keylogger on the employee merchandise store of a top 3 US bank. The malware harvests all form data (including passwords and personal information) from over 200,000 poten...

magecart web-skimming keylogger

ConnectPOS leaked Github secrets for years

Jan 12th • Sansec discovered that ConnectPOS has been showing their Github credentials on their site for 4 years. This would enable attackers to slip malicious code into each of the thousands of ConnectPOS re...

supply-chain-attack magento

2025

Critical backdoor found in MGT Varnish extension

Dec 15th • Sansec discovered an open backdoor in MGT Varnish, a popular cache manager for online stores. While the backdoor appears to be intended for remote support, it can be exploited by anyone.

magento backdoor vulnerability +1

SessionReaper attacks have started, 3 in 5 stores still vulnerable

Oct 22nd • Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. Sansec Shield blocked dozens of attacks today. With only 38% of stores patched and exploit d...

magento adobe-commerce rce +3

SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236)

Sep 8th • SessionReaper (CVE-2025-54236) is a critical bug in Magento & Adobe Commerce. The bug may hand full control of a store to unauthenticated attackers. Automated attacks have hit over 50% of all s...

magento adobe-commerce rce +3

Adobe patches critical Magento admin takeover via menu injection

Jun 12th • A new attack on Adobe Commerce may break the menu bar for admin users. If your menu bar is missing, someone is stealing your session via CVE-2025-47110.

magento adobe-commerce vulnerability +1

Backdoor found in popular ecommerce components

May 1st • Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications with the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week a...

supply-chain-attack backdoor magento +1

Found defunct.dat on your site? You've got a problem.

Apr 3rd • Sansec found criminals mass-scanning for defunct.dat files which contain GSocket backdoor keys. A quick scan reveals dozens of infected stores.

backdoor malware adobe-commerce +1

You have 2 weeks left to set up CSP for your store

Mar 17th • Increasing use of Content Security Policy (CSP) as PCI-DSS 4.0 goes live on April 1st. However, our research shows that most online stores have not enabled CSP reporting - a critical requirement un...

pci ecommerce-security magento +3

Merchants left guessing at last-minute PCI-DSS u-turn

Mar 6th • Merchants outraged as PCI-SSC changes compliance criteria just weeks before the new regulation comes into effect.

pci ecommerce-security web-skimming

Magento Security Release APSB25-08 [Impact Analysis]

Feb 12th • Critical (CVSS 9.4) release enables attackers to take control of customer accounts.

magento adobe-commerce vulnerability

Sorry, client-side security does not work

Feb 3rd • Browser-based protection can easily be bypassed by the majority of digital skimming attacks.

web-skimming ecommerce-security pci

2024

Google services abused in skimming campaigns

Dec 31st • Attackers are abusing Google services like Translate and YouTube to bypass security measures and execute malicious campaigns. Recent incidents and strategies employed by these threat actors are out...

web-skimming magecart double-tap

Thousands of Adobe Commerce stores hacked in competing CosmicSting campaigns

Oct 1st • Cybercriminals have hacked 5% of all Adobe Commerce and Magento stores this summer. Among the victims are large international brands. Seven distinct groups are using CosmicSting attacks to plant ma...

magento adobe-commerce web-skimming +1

CosmicSting attack & defense overview

Sep 16th • CosmicSting (aka CVE-2024-34102) is the worst bug to hit Magento and Adobe Commerce stores in two years. Sansec observes that stores are getting hacked at a rate of 5 to 30 per hour. Merchants need...

magento adobe-commerce rce +2

Persistent backdoors injected on Adobe Commerce via new CosmicSting attack

Aug 27th • In our previous posts, we discussed how threat actors were abusing CosmicSting by injecting malicious scripts into CMS blocks. While these attacks continue, we've observed a significant escalation ...

magento adobe-commerce rce +3

CosmicSting attacks have started hitting major stores

Jul 12th • Almost a month ago, we warned about the CosmicSting attack that threatens 75% of Adobe Commerce stores. Sansec now observes mass-abuse of this vulnerability in the wild. Stores are getting hacked a...

magento adobe-commerce web-skimming +1

Polyfill supply chain attack hits 100K+ sites

Jun 25th • The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites.

supply-chain-attack malware web-skimming +1

CosmicSting attack threatens 75% of Adobe Commerce stores

Jun 18th • One week after the release of a critical security fix, just a quarter of all Adobe Commerce and Magento stores has been patched.

magento adobe-commerce vulnerability +2

Persistent Magento backdoor hidden in XML

Apr 4th • Does your Interceptor.php keep getting infected? Attackers are using a new method for malware persistence on Magento servers. Sansec discovered a cleverly crafted layout template in the database, w...

magento backdoor rce +1

Sansec joins forces with Google's VirusTotal

Mar 8th • Google, via its subsidiary VirusTotal, has selected Sansec as approved security vendor. Sansec will contribute its specialized intel on eCommerce security threats to the VirusTotal platform.

ecommerce-security malware

Sansec and Europol counter online skimming

Jan 9th • Europol, law enforcement authorities from 17 countries and the European Union Agency for Cybersecurity (ENISA) have joined forces with private sector partners such as Sansec.

europol web-skimming ecommerce-security +1

2023

Magento wish list exploit bypasses WAF protection

Dec 18th • Found your Magento 2 store hacked recently? Chances are, that attackers injected a malicious wish list. Just before Christmas? Oh the irony.

trojanorder magento vulnerability

Is your store’s newsletter being used for phishing?

Nov 10th • Cybercriminals in eCommerce are diversifying their targets, now aiming at entire customer databases instead of just stealing credit cards. A recent incident revealed this trend: a hacked Magento ad...

magento malware ecommerce-security

Malware Persistence via Telegram and GitHub

Aug 22nd • Credit card thieves now use Telegram and Github to steal customer data.

magecart web-skimming woocommerce

Postponed Exfiltration Evades Detection

May 9th • Criminals have come up with a clever way to steal customer data only after the regular checkout flow. This stealthy attack is very hard to detect.

web-skimming magecart

Sansec analysis: 12% of online stores leak private backups

Feb 7th • Sansec discovered that one in nine online stores accidentally expose private backups. This mistake could have dire consequences. Online criminals are actively scanning for these backups, as they co...

misconfiguration ecommerce-security database

Vendors defeat Magento security patch (+ simple check)

Jan 17th • Magento and Adobe Commerce stores around the world have been hammered with Trojan Order attacks this winter. And even if you have patched or installed Adobe’s 2.4.4 release, you may still be vulner...

trojanorder magento

2022

Fake Klaviyo accounts added to Magento

Dec 21st • Are your Magento admin accounts legitimate? Chances are, that a klaviyo_support_XXXX account was added this week. Best to quickly remove it and read this article.

magento backdoor database

Adobe Commerce merchants to be hit with TrojanOrders this season

Nov 15th • At least seven Magecart groups are injecting TrojanOrders at approximately 38% of Magento and Adobe Commerce websites in November.

trojanorder magento ecommerce-security

Extortion of Magento merchants

Nov 7th • Sansec has received reports of criminals trying to extort Magento merchants with the message below. As long as the sender does not produce evidence, they almost certainly did not steal your sensiti...

magento ecommerce-security malware

Surge in Magento 2 template attacks

Sep 22nd • The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In ...

trojanorder magento backdoor

Magento vendor Fishpig hacked, backdoors added

Sep 13th • Fishpig, a vendor of popular Magento-Wordpress integrations, has been hacked. Sansec found that attackers have injected malware in Fishpig software and taken control of Fishpig servers. Online stor...

magento supply-chain-attack backdoor +1

Magento 2 critical vulnerability (CVE-2022-24086 & CVE-2022-24087)

Feb 14th • Adobe has released two emergency patches for a critical vulnerability in Magento 2. You need to apply both patches, in order. The vulnerability allows unauthenticated remote code execution (RCE), w...

trojanorder magento rce

NaturalFreshMall: a Magento Mass Hack

Feb 8th • An investigative report by Sansec researchers on how one vulnerable Magento extension leads to a mass web store attack, with Magecart attackers using naturalfreshmall.com to hide and serve malware ...

magento magento-1 magecart +2

2021

Magento and the Log4j vulnerability

Dec 13th • Updated Dec 20th. This article describes how Magento is affected by the critical log4j vulnerability, and what you can (and should) do to prevent a hack. A critical vulnerability in the popular Log...

magento vulnerability ecommerce-security

NginRAT parasite targets Nginx

Dec 1st • A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code injects itself into a host Nginx application and is nearly invisible. The parasite is used to steal ...

malware backdoor ecommerce-security +1

CronRAT malware hides behind February 31st

Nov 24th • In the run-up to Black Friday, Sansec discovered a sophisticated threat that is packed with never-seen stealth techniques. This malware, dubbed "CronRAT", hides in the Linux calendar syst...

malware backdoor magecart +2

New linux_avp malware hits eCommerce sites

Nov 18th • Sansec discovered a new malicious agent "linux_avp" that hides as system process on eCommerce servers. It is being deployed around the world since last week and takes commands from a cont...

malware backdoor ecommerce-security +1

Google Apps Script used to steal data

Feb 18th • The Google business application platform Apps Script is used to funnel stolen personal data, Sansec learned. Attackers use the reputation of the trusted Google domain script.google.com to evade mal...

magecart web-skimming

2020

Fake payment page before checkout on Shopify and BigCommerce

Dec 24th • A new type of web skimmer was found on a dozen stores hosted on Shopify, BigCommerce, Zen Cart and WooCommerce. Hosted (SaaS) ecommerce platforms like BigCommerce and Shopify do not allow custom Ja...

web-skimming ecommerce-security double-tap +1

eCommerce trojan accidentally leaks victims

Dec 18th • Sansec discovered a clever remote access trojan (RAT) that has been hiding in the alleys of hacked eCommerce servers. Despite the advanced setup, perpetrators mistakenly left a list of victim store...

malware backdoor magecart +1

Persistent parasite in EOL Magento 2

Dec 2nd • Over the last months, hackers have quietly added a subtle security flaw to over 50 large online stores, only to exploit them right before Black Friday, Sansec research shows. The flaw's presence wo...

magento magecart web-skimming +1

Payment skimmer hides in social media buttons

Nov 26th • Researchers at Sansec have uncovered a novel technique to inject payment skimmers onto checkout pages. This new malware has two parts: a concealed payload and a decoder, of which the latter reads t...

web-skimming malware

Cardbleed: 3% of Magento install base hacked

Sep 14th • Update Sept 18: Cardbleed has infected 2806 Magento1 stores so far (3% of total install base) Over the weekend, almost two thousand Magento 1 stores across the world have been hacked in the larges...

magecart magento-1 web-skimming +2

North Korean hackers are skimming US and European shoppers

Jul 6th • North Korean state sponsored hackers are implicated in the interception of online payments from American and European shoppers, Sansec research shows. Hackers associated with the APT Lazarus/HIDDEN...

magecart web-skimming

Digital skimmer runs entirely on Google, defeats CSP

Jun 22nd • A newly discovered skimming campaign runs entirely on Google servers, Sansec research shows. The novel malware sends stolen credit cards directly to Google Analytics, evading security controls like...

magecart web-skimming

Lockdown: Stores closed, online stores hacked

Jun 15th • A day after Claire's (fashion retailer) closed its 3,000 stores, an anonymous party registered claires-assets.com. Later, Claire's got hacked.

magecart web-skimming

Do these two things to keep your Magento 1 store running after June

May 28th • Over a 100 thousands Magento 1 stores will be running after Adobe terminates support in June (end-of-life). Many merchants need more time to transition to Magento 2 or another platform. No need to ...

magento-1

Will Magento 1 stay PCI compliant?

May 8th • Magento 1 will no longer receive official updates & security fixes per July 1st, 2020 (the end-of-life, or EOL date). Merchants are urged to upgrade to Magento 2, but for many stores this deadl...

magento-1 pci

Sansec reveals longest Magecart skimming operation to date [Analysis]

Feb 25th • Sansec, a global leader in eCommerce security, reveals that hackers successfully infiltrated an online printing platform for more than two and a half years. Our research shows that crooks ran keylo...

magecart web-skimming

Sansec partners with Maxcluster

Feb 20th • Utrecht, February 20; Sansec is proud to announce that it has formed a long-term strategic partnership with maxcluster to bring its industry-leading anti-malware technology to the German e-commerce...

ecommerce-security

Indonesian Magecart hackers arrested

Jan 25th • The Indonesian police announced on Friday that they have arrested three alleged Magecart hackers on December 20th. The suspects are from Jakarta and Yogyakarta and are 23, 26 and 35 years old. Afte...

magecart web-skimming ecommerce-security

2019

Payment skimmers have impersonated Sansec

Dec 2nd • Payment skimmers are hiding their malpractice by impersonating our Sansec anti-skimming service. They have registered malicious domains sansec.us and sanguinelab.net, even using a fake address in A...

magecart web-skimming

American Cancer Society hit by payment skimmer

Oct 25th • Digital skimming groups (aka Magecart) hit another low, as they successfully targeted the American Cancer Society last night. Our skimmer detectors found a piece of malicious code embedded on the C...

magecart web-skimming

Magento security extentions vendor got hacked

Oct 7th • The store of a US Magento extension vendor was found compromised. Attackers had write access to the server selling extensions. We are awaiting a statement on the integrity of downloaded software. O...

magento supply-chain-attack web-skimming

FBI recommends malware scanning against skimming

Aug 17th • The FBI warns small and medium-sized businesses and government agencies against the threat of e-skimming. E-skimming occurs when cyber criminals inject malicious code onto a website. Read the origi...

fbi malware ecommerce-security

Sansec at Europol training: 50,000+ stores hacked

Aug 12th • Cementing itself as a global force in the protection against eCommerce fraud, Sansec has been invited to speak at the fifth edition of Europol’s Training Course on Payment Card Fraud Forensic Inves...

europol payment-fraud ecommerce-security

PCI-SSC/RHISAC quote Sansec: 20% stores reinfected

Aug 1st • The PCI Security Standards Council and the Retail & Hospitality ISAC alert merchants to the threat of digital skimming. In its report, it quotes Sansec research, which has found that about 20% ...

pci web-skimming magecart +1

Critical Magento 2 flaw exploited within 16 hours

May 10th • The number of hacked Magento 2 stores spiked in the last four weeks, after a critical security flaw was discovered in March and criminals stole admin passwords within 16 hours. Merchants are advise...

magento magecart web-skimming

Sports brand Puma infected with advanced malware

Apr 29th • On April 25th, sports brand Puma Australia got infected with the most sophisticated payment skimmer to date.

magecart web-skimming

57 payment gateways from Germany to Brazil targeted

Apr 29th • Sansec discovered a polymorphic skimmer that works with 57 different payment gateways. It has global reach, affecting payment systems from Germany to Brazil. It is by far the most advanced skimmer ...

magecart web-skimming payment-fraud

Credit cards of Atlanta Hawks fans stolen

Apr 24th • Online credit card thieves - also known as Magecart - have managed to inject a payment skimmer in the online store of the Atlanta Hawks. Fans who ordered merchandize on or after April 20th had thei...

magecart web-skimming

Bad extensions now main source of Magento hacks: a solution!

Jan 29th • In October last year Sansec discovered several Magento extension 0days. As it turns out, this was only the tip of the iceberg: today, insecure 3rd party extensions are used to hack into thousands o...

magento magecart vulnerability +1

Large sites hacked via Adminer database tool

Jan 20th • This week Sansec discovered that large ecommerce and government sites got hacked via the Adminer database tool. As it turns out, the root cause is a protocol flaw in MySQL. Curiously, it is describ...

vulnerability database ecommerce-security

PHP tool 'Adminer' leaks passwords

Jan 17th • Update 2019-01-20: the root cause is a protocol flaw in MySQL. Adminer is a popular PHP tool to administer MySQL and PostgreSQL databases. However, it can be lured to disclose arbitrary files. Atta...

vulnerability database disclosure

2018

Competing digital skimmers sabotage each other

Nov 20th • Skimmers found to subtly sabotage each others fraud operations. Competition is grim in the online skimming business (aka "MageCart"). The aggressive MagentoCore skimmer was previously obs...

magecart web-skimming

Merchants struggle with MageCart reinfections

Nov 12th • 1 in 5 compromised merchants get reinfected, average skimming operation lasts 13 days MageCart, the notorious actors behind massive online card skimming, has been busy. And so have we: our crawlers...

magecart web-skimming ecommerce-security

Backdoor found in Webgility

Oct 30th • Update Nov 23rd: Webgility has released a patch and a public statement, urging all customers to upgrade to version 345. Update Nov 30th: Webgility has discovered another security issue and urges al...

magento backdoor vulnerability

Unpublished security flaws (0days) massively exploited

Oct 23rd • Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it turns...

magecart magento 0day +1

German political party store hacked before election

Oct 15th • The store of German political party CSU (www.csu-shop.de) contains an identity skimmer that was planted on or before Oct 5th, right before the Bavarian election on Oct 14th. Personal identifyable i...

magecart web-skimming

MageCart: now with tripwire

Oct 4th • Back in 2016, Magecart skimmers would evade detection by sleeping if any developer tools were found running. Then, their malware would 404 without correct Referer or User-Agent header. And now, Mag...

magecart web-skimming malware

ABS-CBN next in series of high profile breaches

Sep 18th • While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. We found their broadcasting giant ABS-CBN − a $740 million conglomerate & top-500 global Internet de...

magecart web-skimming

Is your Google Analytics code malicious?

Sep 6th • Would you - a webdeveloper - get alarmed if you found the following code on your website? Probably not, as Google Analytics is embedded in pretty much every website these days: <script type=&quo...

magecart web-skimming

MagentoCore group hacks 7,339 stores and counting

Aug 30th • A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date. Update 2018-09-07: Because Google Chr...

web-skimming magento

2017

Hackers breached Magento through helpdesk

Dec 28th • Magento merchants have recently received messages like this: Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! -- knockers@yahoo.com Upon closer exa...

magento web-skimming vulnerability

Cryptojacking found on 2496 online stores

Nov 7th • Does your laptop get hot when visiting your favorite shop? You computer is likely mining cryptocurrencies to the benefit of a cyberthief. Cryptojacking - running crypto mining software in the brow...

magento malware ecommerce-security

Why ordering HTTP headers is important

May 2nd • If you code against Akamai hosted sites, you could be rejected because your HTTP library sends request headers in the wrong order. In fact, most libraries use undefined order, as the IETF specifica...

ecommerce-security

Warning: fake Magento patch 9789 contains virus

Apr 21st • Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798. Update Apr 22nd: added reference to Neutrino Bot and POS systems This week a mail was sent out to announce the ne...

magento malware ecommerce-security

A Magento breach analysis: part 1

Apr 12th • Part of a series where Magento security professionals share their case notes, so that we can ultimately distill a set of best practices, tools and workflow. Part of the job of running the MageRepor...

magento malware backdoor

An OpenCart/Magento hacking dashboard

Apr 7th • This post shows how sophisticated Magento hacking operations have become nowadays. While investigating a bruteforced Magento store, we noticed that the hacker logged in using a curious referrer sit...

magento malware ecommerce-security +1

Self-healing malware restores itself after deletion

Feb 14th • Regular Javascript-based malware is normally injected in the static header or footer HTML definitions in the database. Cleaning these records used to be sufficient to get rid of the malware. But no...

magento malware web-skimming +1

2016

Visbot malware found on 6691 stores [analysis]

Dec 1st • Visbot is one of the oldest Magecart payment skimmers: it steals customer data and credit cards. The first case was documented as early as March 2015. But being publicly discussed did not stop it f...

magecart magento web-skimming +1

2015

Criminals have rewired 3,500 online stores

Nov 17th • Criminals have secretly rewired 3,500 online stores to continuously harvest credit card numbers. The fraud can be traced back as far as May 12th 2015, so if you have bought something at one of thes...

web-skimming magento

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Learn more