![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
.jpg?#)
_Alexey_Kotelnikov_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_Brian_Jackson_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
_Steven_Jones_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
 Stolen 884,000 Credit Card Details on 13 Million Clicks from Users Worldwide.webp?#)
![Roku clarifies how ‘Pause Ads’ work amid issues with some HDR content [U]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/roku-pause-ad-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Look at this Chrome Dino figure and its adorable tiny boombox [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/05/chrome-dino-youtube-boombox-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Seeds visionOS 2.5 RC to Developers [Download]](https://www.iclarified.com/images/news/97240/97240/97240-640.jpg)
![Apple Seeds tvOS 18.5 RC to Developers [Download]](https://www.iclarified.com/images/news/97243/97243/97243-640.jpg)
![Apple Releases macOS Sequoia 15.5 RC to Developers [Download]](https://www.iclarified.com/images/news/97245/97245/97245-640.jpg)
Hackers Weaponized 21 Apps to Gain Full Control of Ecommerce Servers
Security researchers have recently uncovered a sophisticated supply chain attack targeting ecommerce platforms through 21 widely-used applications. The backdoor, which remained dormant for six years after its initial injection between 2019 and 2022, has recently activated, providing attackers with complete control over affected servers. The malware operates through a deceptive license verification mechanism embedded within […] The post Hackers Weaponized 21 Apps to Gain Full Control of Ecommerce Servers appeared first on Cyber Security News.
Security researchers have recently uncovered a sophisticated supply chain attack targeting ecommerce platforms through 21 widely-used applications.
The backdoor, which remained dormant for six years after its initial injection between 2019 and 2022, has recently activated, providing attackers with complete control over affected servers.
The malware operates through a deceptive license verification mechanism embedded within extensions from popular vendors.
Though planted years ago, the code only began showing signs of active exploitation from April 20, 2025, demonstrating an alarming level of patience and strategic planning by the threat actors behind the campaign.
Sansec researchers identified the backdoor across multiple applications from three major vendors: Tigren, Meetanshi, and Magesolution (MGS).
A fourth vendor, Weltpixel, may also be compromised, though investigators have not yet confirmed whether the company itself was breached or if specific stores using their extensions were individually targeted.
The scale of the attack is significant, with security experts estimating between 500 and 1000 ecommerce stores currently running the compromised software.
This widespread distribution highlights the devastating potential of supply chain attacks to impact numerous organizations through trusted software providers.
Infection Mechanism
The backdoor’s technical implementation centers around a falsified license verification system contained in files named License.php or LicenseApi.php.
At the core of the vulnerability is the adminLoadLicense function, which executes arbitrary code:-
protected function adminLoadLicense($licenseFile)
{
// ...
$data = include_once($licenseFile);
// ...
}This function allows attackers to inject malicious code through the $licenseFile parameter, which they can manipulate using the adminUploadLicense function.
While older versions (2019) required no authentication, later iterations implemented verification using hardcoded checksums and salt values unique to each vendor.
The backdoor maintains a consistent structure across all affected packages while varying specific elements like authorization checksums, backdoor paths, and license filenames to evade detection.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
The post Hackers Weaponized 21 Apps to Gain Full Control of Ecommerce Servers appeared first on Cyber Security News.
