A significant defacement campaign has targeted over 7,500 Magento sites, as reported by digital risk protection platforms. The campaign, which began three weeks ago, has affected more than 15,000 hostnames with attackers deploying plaintext defacement files directly onto the affected servers.

The defacement files, primarily containing the handles of the attackers, also include a minority of files that feature political messages related to recent geopolitical conflicts. Notably, these messages were only visible for a single day, on March 7, 2026, indicating that they were not the main objective of the attack.

According to cybersecurity observations, the majority of these incidents have been reported to the defacement archive under the account name 'Typical Idiot Security', which aligns with the handles found in the defacement messages. This suggests that the attackers may be attempting to establish a reputation within the hacking community.

Netcraft, the reporting platform, indicates that the attackers are likely exploiting an unauthenticated file upload vulnerability that affects various versions of Magento, including Magento Open Source (Community Edition), Magento Enterprise/Adobe Commerce, and Adobe Commerce with Magento B2B. This vulnerability appears to be similar to the exploits observed in the October 2025 attacks that took advantage of the SessionReaper flaw.

During testing, Netcraft was able to exploit the latest version of Magento Community to upload a text file to a test instance, confirming the effectiveness of the vulnerability. The campaign has notably impacted a range of global brands, including Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha. The attacks have primarily targeted subdomains, regional storefronts, and staging environments, although some live production sites were also briefly defaced.

In addition to corporate websites, several regional government services, educational institutions in Latin America and Qatar, and various international non-profit organizations have also fallen victim to this campaign. Notably, domains associated with the Trump Organization were among those defaced.

Emergence of PolyShell Vulnerability

The news of this defacement campaign coincides with reports from security firm Sansec regarding a new vulnerability in the REST API of Magento and Adobe Commerce. This flaw can be exploited to upload executable files to any store without requiring authentication. According to Sansec, the bug affects all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2 and has the potential to allow cross-site scripting (XSS) in versions prior to 2.3.5.

Sansec has identified that this vulnerable code has been present since the initial release of Magento 2. Although Adobe has addressed this in the 2.4.9 pre-release branch as part of APSB25-94, no isolated patch is available for current production versions. The vulnerability, dubbed PolyShell, has not yet been actively exploited in the wild, but Sansec anticipates that exploitation methods will soon circulate, leading to automated attack campaigns.

As the situation develops, it remains critical for Magento site operators to assess their security measures and ensure that they are protected against potential vulnerabilities. The ongoing defacement campaign serves as a stark reminder of the importance of robust security practices in the digital landscape.

Related Articles: Threat Actor Targeting VPN Users in New Credential Theft Campaign; Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign; Cloned AI Tool Sites Distribute Malware in 'InstallFix' Campaign; LastPass Warns of New Phishing Campaign.

Source: SecurityWeek News