Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers
Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21 popular e-commerce applications, granting hackers full control over hundreds of online stores.
This malicious campaign, which began with the injection of backdoors as early as six years ago, was activated this week, exposing vulnerabilities in software from vendors such as Tigren, Meetanshi, MGS (Magesolution), and potentially Weltpixel.
Sansec estimates that between 500 and 1,000 stores are currently running backdoored software, including a $40 billion multinational retailer, with active exploitation detected since at least April 20, 2025.
Coordinated Supply Chain Attack
The attack, characterized as a supply chain hack-one of the most devastating types of cyber threats-allowed attackers to breach the servers of Tigren, Meetanshi, and MGS, embedding backdoors into their downloadable packages between 2019 and 2022.
By targeting these vendors, hackers gained indirect access to all customer stores using the tainted software, and by extension, to the personal data of countless shoppers visiting these platforms.
Affected applications include Tigren’s Ajaxsuite, Ajaxcart, and Ajaxlogin, Meetanshi’s ImageClean and CookieNotice, and MGS’s Lookbook and GDPR modules, among others.
Additionally, a compromised version of Weltpixel’s GoogleTagManager extension was identified, though it remains unclear whether the vendor itself or specific stores were breached.
Technical Details of the Backdoor Mechanism
Delving into the technical specifics, the malicious code resides in a deceptive license validation mechanism within files named License.php or LicenseApi.php.
The core vulnerability lies in the adminLoadLicense function, which executes attacker-controlled input from a $licenseFile variable as PHP code, enabling remote code execution.
Earlier versions of the software allowed unauthenticated access to this function, while later iterations introduced a secret key verification using hardcoded values like SECURE_KEY and SIGN_KEY, which differ per vendor but are nonetheless static and potentially reversible.
The backdoor is explicitly triggered through a registration.php file, which loads the malicious license check if the corresponding file exists.
Though the core exploit remains consistent across packages, variations exist in authorization checksums, backdoor paths, and license filenames unique to each vendor, such as mtn-license for Meetanshi and apj-license for Tigren.
According to the Report, Sansec urges immediate action for store owners using software from the affected vendors.
Checking for suspicious license files and scrutinizing server logs for unauthorized access are critical steps to mitigate damage.
This attack underscores the cascading risks of supply chain vulnerabilities, where a single breach at the vendor level can compromise an entire ecosystem of businesses and consumers.
As e-commerce platforms scramble to secure their infrastructures, this incident serves as a stark reminder of the importance of rigorous software vetting, regular security audits, and the adoption of robust authentication mechanisms to prevent such covert, long-dormant threats from surfacing years after initial infiltration.
The full scope of the breach is yet to be determined, but the potential for data theft, financial loss, and reputational harm looms large over the affected entities.