In a significant escalation of cyber attacks, over 7,500 Magento sites have been targeted in a mass defacement campaign that began approximately three weeks ago, according to reports from a digital risk protection platform.

The attacks involve the deployment of defacement files directly onto the compromised infrastructure, presenting themselves as plaintext files across more than 15,000 distinct hostnames.

Many of these text files include the handles of the attackers, although a small number feature political messages that reference ongoing geopolitical tensions.

“At the time of publication, these messages appeared for only a single day, 7 March 2026, and were not found in previous or subsequent defacements, indicating that this was not the primary goal of the campaign,” the report states.

The cybersecurity firm also highlights that many of the incidents were reported to a defacement archive using the account name 'Typical Idiot Security', which coincides with the handle found in the defacement messages, suggesting an intention to establish a notorious reputation among peers.

Investigation by the firm reveals that the attackers are likely exploiting an unauthenticated file upload vulnerability affecting multiple versions of Magento, including Magento Open Source (Community Edition), Magento Enterprise, and Adobe Commerce deployments that utilize Magento B2B.

Similarities have been noted to previous attacks in October 2025 that leveraged the SessionReaper flaw, and the firm was able to exploit the recent Magento Community version to upload a text file to a test instance.

This recent campaign has impacted well-known global brands, including Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha. Most attacks have primarily targeted subdomains, regional storefronts, and staging environments, although some production-facing sites were also briefly defaced.

Additionally, several regional government services, university websites in Latin America and Qatar, and various international non-profit organizations fell victim to the campaign. Notably, multiple domains associated with the Trump Organization were also defaced during this wave of attacks.

New Vulnerabilities Identified

As news of the defacement campaign circulated, a new vulnerability was reported in the REST API of Magento and Adobe Commerce, which could be exploited to upload executables to any store without the need for authentication.

This bug affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2 and has the potential to be exploited for cross-site scripting (XSS) in all versions before 2.3.5.

“The vulnerable code has been present since the initial release of Magento 2. Adobe has addressed this in the 2.4.9 pre-release branch as part of APSB25-94; however, no isolated patch is available for current production versions,” the firm noted.

The security company has dubbed this vulnerability 'PolyShell', and while many sites are found to expose files within the upload directory, it appears that this particular flaw has not yet been exploited in real-world attacks.

“Although the method of exploitation has not been observed actively in the wild, the exploit technique is already circulating, and we anticipate that automated attacks will emerge soon,” the cybersecurity firm warned.

Related Threats: Threat actors are increasingly targeting VPN users in a new credential theft campaign, while Salesforce customers are reportedly facing data theft threats. Additionally, cloned AI tool sites have emerged, distributing malware through an 'InstallFix' campaign, and LastPass has issued warnings regarding a new phishing campaign.

Source: SecurityWeek News