A coordinated supply chain attack has compromised multiple eCommerce vendors, with Sansec identifying 21 applications containing the same backdoor. The malware was inserted six years ago but was activated recently, allowing attackers to gain full control over eCommerce servers. Sansec estimates that 500 to 1000 stores are currently running compromised software.
Compromised Packages:
The following packages from Tigren, Meetanshi, and Magesolution (MGS) were found to contain backdoors:
| Vendor | Package |
|–||
| Tigren | Ajaxsuite |
| Tigren | Ajaxcart |
| Tigren | Ajaxlogin |
| Tigren | Ajaxcompare |
| Tigren | Ajaxwishlist |
| Tigren | MultiCOD |
| Meetanshi | ImageClean |
| Meetanshi | CookieNotice |
| Meetanshi | Flatshipping |
| Meetanshi | FacebookChat |
| Meetanshi | CurrencySwitcher |
| Meetanshi | DeferJS |
| MGS | Lookbook |
| MGS | StoreLocator |
| MGS | Brand |
| MGS | GDPR |
| MGS | Portfolio |
| MGS | Popup |
| MGS | DeliveryTime |
| MGS | ProductTabs |
| MGS | Blog |
Sansec confirmed that Tigren, MGS, and Meetanshi servers were breached, and attackers injected backdoors into their download servers.
🔗 Source: Sansec Report
You Should Know: Detecting & Mitigating Supply Chain Attacks
1. Check for Compromised Packages
If your eCommerce platform uses any of the listed packages, immediately audit your systems.
Linux Command to Check Installed Packages (Magento/WordPress):
For Magento modules: ls -la app/code/Tigren/ ls -la app/code/Meetanshi/ ls -la app/code/MGS/ For WordPress plugins: wp plugin list --status=active --field=name | grep -E 'tigren|meetanshi|mgs'
2. Scan for Backdoors
Use Malware Scanners to detect suspicious PHP files:
Find recently modified PHP files (potential backdoors):
find . -type f -name ".php" -mtime -7 -exec ls -la {} \;
Check for obfuscated code (common in backdoors):
grep -r "eval(base64_decode(" /var/www/html
3. Block Suspicious IPs
If attackers already accessed your system, block malicious IPs:
Check active connections: netstat -tulnp | grep -E '80|443' Block an IP using iptables: iptables -A INPUT -s MALICIOUS_IP -j DROP
4. Restore from Clean Backups
If compromised, restore from a known clean backup:
Verify backup integrity before restoring: sha256sum backup.tar.gz
5. Update & Patch
Ensure all software is up-to-date:
For Magento: php bin/magento setup:upgrade php bin/magento maintenance:enable
What Undercode Say
Supply chain attacks are becoming more sophisticated, with attackers planting malware years before activation. This case highlights the importance of:
– Regular code audits
– Strict vendor trust verification
– Automated malware scanning
– Network segmentation for critical systems
Key Linux Commands for Security Audits:
Monitor file changes in real-time: inotifywait -m -r /var/www/html Check cron jobs for malicious tasks: crontab -l ls -la /etc/cron. Verify file permissions: find /var/www/html -type f -perm 777
Windows Command for Detecting Backdoors:
Check running processes:
Get-Process | Where-Object { $<em>.Path -like "tigren" -or $</em>.Path -like "meetanshi" }
Scan for suspicious DLLs:
dir C:\Windows\System32.dll | findstr /i "tigren meetanshi mgs"
Expected Output:
- Immediate removal of affected packages
- Enhanced monitoring for unusual server activity
- Implementation of strict supply chain security policies
Prediction
Future supply chain attacks will increasingly target open-source libraries, requiring stricter code signing and integrity checks across all software dependencies.
🔗 Read More: Sansec Report
References:
Reported By: Mthomasson Major – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
