Hackers Compromised 7,500+ Magento Websites to Upload Hidden

More than 7,500 Magento-powered e-commerce websites have fallen victim to a sweeping cyberattack campaign since late February 2026. Attackers uploaded hidden malicious files into publicly accessible web directories across thousands of these compromised domains.

The attack has spread to over 15,000 hostnames, affecting commercial brands, government agencies, universities, and non-profit organizations spanning multiple countries, making it one of the most far-reaching Magento-focused campaigns observed in recent years.

Magento is one of the most widely deployed e-commerce platforms in the world, powering everything from small independent shops to large enterprise storefronts.

Its widespread adoption makes it an especially appealing target for attackers looking to compromise many websites at once with minimal effort.

Once a reliable exploitation method is discovered, threat actors can scale it rapidly — which is exactly what happened here, with thousands of unique domains falling victim within just a matter of weeks after the campaign began.

Netcraft researchers identified the campaign’s first activity on February 27, 2026, and have continued tracking its growth ever since.

Among the most notable victims are globally recognized organizations including Toyota, Fiat, Citroën, Asus, Diesel, Fila, Bandai, FedEx, BenQ, Yamaha, and Lindt.

While most compromises involved subdomains, staging environments, or regional storefronts rather than core production systems, some live customer-facing websites were briefly impacted before remediation efforts were put in place. 

The campaign’s reach extended well beyond the commercial world. Researchers also found defacements on regional government service domains, university websites in Latin America and Qatar, international non-profit infrastructure, and several domains associated with the Trump Organization — including trumpstore.com, trumphotels.com, and booktrump.com.

Despite the high-profile nature of some of these names, the evidence suggests these sites were not deliberately chosen. They were simply caught in a broad, indiscriminate sweep targeting vulnerable Magento infrastructure wherever it could be found.

Most of the defaced pages contained simple text files displaying the attacker handles — L4663R666H05T, Simsimi, Brokenpipe, and Typical Idiot Security — along with “greetz” messages, a common practice in the defacement community where attackers name their collaborators and allies.

A smaller set of defacements, appearing only on March 7, 2026, included geopolitical messaging. Analysts concluded this brief outbreak of political content was not the campaign’s core motivation but rather an isolated display that fell outside the normal pattern of activity.

How Attackers Got In: The File Upload Flaw

The attack appears to hinge on an unauthenticated file upload vulnerability affecting some Magento environments.

This type of flaw is dangerous because it allows an attacker to write files directly onto a web server without holding any legitimate account credentials. No login, no password — just a direct path to depositing files wherever the vulnerability allows.

Netcraft researchers confirmed this behavior by successfully uploading a .txt file to a test Magento instance running Magento Community 2.4.9-beta1, the platform’s latest available version at publication time.

This finding showed that even freshly updated Magento installations may remain exposed under certain server configurations. The vulnerable scope covers Magento Open Source, Magento Enterprise, Adobe Commerce, and Adobe Commerce with the B2B module.

While Adobe released a security bulletin for multiple Adobe Commerce vulnerabilities around this time, the specific behavior observed in this campaign does not appear to directly match those published fixes.

Analysts also noted that this campaign shares similarities with the SessionReaper Magento vulnerability from October 2025, which also involved unauthorized file access.

Many compromised pages were self-reported to Zone-H, a public defacement archive, by the notifier handle “Typical Idiot Security” — the same alias found embedded in the defacement content itself, pointing to an actor deliberately documenting their own activity to earn standing within the defacement community.

Organizations running Magento-based infrastructure are strongly advised to immediately review all exposed file upload endpoints, apply available Adobe Commerce security updates without delay, actively monitor web directories for unauthorized file additions, and thoroughly investigate any unexpected files found in publicly accessible server paths.

Given that new compromised sites were still appearing at the time of writing, prompt action is essential.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.