Get started in 5 minutes!

Magento security extentions vendor got hacked

Magento security extentions vendor got hacked

The store of a US Magento extension vendor was found compromised. Attackers had write access to the server selling extensions. We are awaiting a statement on the integrity of downloaded software.

Our malware crawlers detected a compromise of Extendware, a vendor of Magento extensions such as “Two-Factor Authentication”. Attackers injected a payment skimmer on Oct 4th, as shown by this addition to the source code:

The actual skimmer can be found here, which is a fairly standard keylogger. It sends customer card data to which is likely another compromised store under control of the attacker.

While our crawlers discover 50+ skimmers on a daily basis, this case stands out. First, the presence of malware proves that attackers had write access to Extendware’s server. In theory, they could have injected a backdoor or skimmer in all of the Extendware products, thereby gaining control of all stores that would install their software. This is also known as a “supply chain attack”.

Second, because e-commerce vendors are such an attractive target to payment skimmers, this Extendware case suggests that attackers may have used a novel method to gain access.

We have reported this breach to Extendware and asked about the integrity of their products but haven’t heard back yet. Meanwhile, we recommend merchants who downloaded Extendware products in the last week to not install them and await further instructions from the vendor.

NB. Extendware runs a McAfee Secure seal which does not detect the compromise yet:

Prevent Magecart attacks,
protect your web store
with Sansec's eComscan

Since our discovery of MageCart attacks in 2015, we've investigated thousands of hacked Magento web stores. All our research findings are added to our automated malware and vulnerability scanner for Magento and Adobe Commerce.
Merchants using eComscan are protected against the latest malware attacks and all known backdoors. eComscan provides an hourly vulnerability audit on all Magento versions, configurations, and extensions.

Try our malware scanner