Thousands of Magento Sites Hit in Ongoing Defacement Campaign
Over 7,500 Magento e-commerce sites have been hit in an ongoing defacement campaign since February 27, 2026, with attackers uploading defacement files across 15,000+ hostnames. The attacks exploit an unauthenticated file upload vulnerability in Magento Open Source, Enterprise, and Adobe Commerce, affecting global brands like Asus, Toyota, and FedEx, plus government services and nonprofits. A related vulnerability dubbed PolyShell in the REST API could allow executable uploads without authentication across all versions up to 2.4.9-alpha2, though no active wild exploitation has been observed yet.
Summary
Over 7,500 Magento e-commerce sites have been hit in an ongoing defacement campaign since February 27, 2026, with attackers uploading defacement files across 15,000+ hostnames. The attacks exploit an unauthenticated file upload vulnerability in Magento Open Source, Enterprise, and Adobe Commerce, affecting global brands like Asus, Toyota, and FedEx, plus government services and nonprofits. A related vulnerability dubbed PolyShell in the REST API could allow executable uploads without authentication across all versions up to 2.4.9-alpha2, though no active wild exploitation has been observed yet.
Full text
Over 7,500 Magento sites have been hit in a mass defacement campaign that started three weeks ago, digital risk protection platform Netcraft reports. As part of the attacks, threat actors deployed defacement files directly on the affected infrastructure, in the form of plaintext files, across more than 15,000 hostnames. Most of the observed text files contain the attacker handles, but a fraction of them involve political messages referencing recent geopolitical conflicts. “At the time of publication, these messages appeared for only a single day, 7 March 2026. They were not present in earlier or later defacements, suggesting that this was not the primary motivation of the campaign,” Netcraft says. The security firm notes that most of the incidents were reported to the defacement archive Zone-H using the account ‘Typical Idiot Security’, which is also the handle present in the defacement messages, suggesting that the threat actor is trying to build a reputation. According to Netcraft, the attacker is likely exploiting an unauthenticated file upload vulnerability impacting Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments with Magento B2B.Advertisement. Scroll to continue reading. Netcraft identified similarities with the October 2025 attacks exploiting the SessionReaper flaw and was able to exploit the latest Magento Community version to upload a text file to a test instance. The campaign affected global brands such as Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha, mainly hitting subdomains, regional storefronts, and staging environments, though some production-facing sites were also briefly defaced. Several regional government services, university domains in Latin America and Qatar, and international non-profit organizations were also affected. Several domains associated with the Trump Organization were also defaced. PolyShell vulnerability News of the defacement campaign came while Sansec reported a new flaw in the REST API of Magento and Adobe Commerce that could be exploited to upload executables to any store, without authentication. The bug, it says, impacts all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2, and could be exploited for XSS in all iterations before version 2.3.5. “The vulnerable code has existed since the very first Magento 2 release. Adobe fixed it in the 2.4.9 pre-release branch as part of APSB25-94, but no isolated patch exists for current production versions,” Sansec says. According to the security company, which named the vulnerability PolyShell, many sites expose files in the upload directory, but the flaw does not appear to have been exploited in the wild. “Sansec has not observed active exploitation so far. However, the exploit method is circulating already, and Sansec expects automated attacks to appear soon,” the cybersecurity firm says. Related: Threat Actor Targeting VPN Users in New Credential Theft Campaign Related: Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign Related: Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign Related: LastPass Warns of New Phishing Campaign Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Security Firm Aura Discloses Data Breach Impacting 900,000 RecordsRussian APT Exploits Zimbra Vulnerability Against UkraineRaven Emerges From Stealth With $20 Million in Funding‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware VendorsEU Sanctions Chinese, Iranian Firms Supporting Hacking OperationsManifold Raises $8 Million for AI Detection and ResponseApple Debuts Background Security Improvements With Fresh WebKit PatchesTech Giants Invest $12.5 Million in Open Source Security Latest News Allure Security Raises $17 Million for Online Brand ProtectionCritical Langflow Vulnerability Exploited Hours After Public DisclosureAisuru and Kimwolf DDoS Botnets Disrupted in International OperationOasis Security Raises $120 Million for Agentic Access Management1stProtect Emerges From Stealth With $20 Million in FundingCritical ScreenConnect Vulnerability Exposes Machine KeysPrivacy Platform Cloaked Raises $375M to Expand Enterprise ReachIran Readied Cyberattack Capabilities for Response Prior to Epic Fury Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveSecurityBridge has promoted Holger Hügel to Chief Technology Officer.Armis has appointed Simon Mouyal as Chief Marketing Officer.Omada has named Jakob H. Kraglund as Chief Executive Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- malware — Typical Idiot Security
- cve — PolyShell
- cve — SessionReaper