A sweeping supply chain attack has compromised hundreds of Magento-based e-commerce stores, raising urgent questions about the security of online retail platforms and the steps businesses must take to protect themselves and their customers. The breach, which lay dormant for years before being activated in April 2025, is one of the most significant supply-chain hacking incidents to hit the e-commerce sector in recent years.
Between 500 and 1,000 e-commerce sites have fallen victim to the coordinated supply chain attack targeting the leading e-commerce platform. The attackers infiltrated the software supply chain by injecting malicious backdoors into 21 popular Magento extensions, distributed by well-known vendors such as Tigren, Meetanshi, and Magesolution (MGS). These extensions, used for critical store functions like carts, shipping calculations, and wishlists, are widely adopted by online retailers worldwide.
According to Sansec, the cybersecurity firm that uncovered the breach, some of the backdoored extensions were compromised as early as 2019, but the malicious code only became active in April 2025. This sleeper attack allowed threat actors to bypass standard security mechanisms and gain access to sensitive customer data, including payment details.
The risks extend beyond stolen credit card data for B2B (business-to-business) e-commerce businesses (manufacturers, distributors, and wholesalers). Outdated or compromised plugins can disrupt ERP (enterprise resource planning) and CRM (customer relationship management) integrations, order cycles, and fulfillment operations, resulting in lost revenue and eroded customer trust. The incident also highlights the responsibility that comes with self-hosted, plugin-based e-commerce architectures: businesses must stay vigilant with updates, patches, and third-party software reviews.
Anatomy of a six-year sleeper attack
What makes this Magento supply chain attack especially alarming is its duration and sophistication. The attackers managed to inject backdoors into extension packages distributed between 2019 and 2022, but waited until April 2025 to activate the malware. This allowed the malicious code to remain undetected for up to six years, highlighting gaps in routine security audits and extension vetting processes.
Sansec’s investigation revealed that the servers of all three major extension vendors had been breached, enabling attackers to tamper with download servers and distribute compromised software to unsuspecting store owners. Once installed, the backdoored extensions provided attackers with admin-level access, allowing them to steal encryption keys, inject malicious code into checkout pages, and exfiltrate sensitive customer data.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has since added the vulnerability (CosmicSting, CVE-2024-34102) to its Known Exploited Vulnerabilities Catalog, emphasizing the widespread risk to the e-commerce ecosystem.
Immediate steps every e-commerce business should take after a data breach
In the wake of Magento’s supply-chain hacking incident, e-commerce businesses must adopt a clear action plan for data breach response and long-term e-commerce security.
Immediate steps after a data breach include:
1. Contain and investigate the breach
Start by disconnecting the affected store from the network to prevent further damage. Change all admin passwords and reset API keys and payment gateway credentials to lock out attackers. Then, engage digital forensics experts to identify the breach’s scope, the entry point, and the data affected.
2. Notify stakeholders and maintain transparency
Develop a communication plan to inform affected customers, employees, and partners about the breach and the steps being taken. Avoid misleading statements; transparency is critical for maintaining trust and compliance with data protection regulations.
3. Seek expert assistance
Partner with digital forensics and incident response (DFIR) specialists to ensure a thorough recovery and to remove any trace of the malicious code. Porthas provides customizable Incident Response Retainers (IRR), a pre-arranged agreement guaranteeing rapid access to our cybersecurity experts during a cyber incident. Contact us 24/7.
