In a significant cybersecurity incident, more than 7,500 e-commerce websites using the Magento platform have been compromised since late February 2026. This attack involved the insertion of malicious files into web directories, targeting thousands of domains globally.
Scope and Impact of the Attack
The breach affected over 15,000 hostnames, impacting a wide range of sectors including commercial brands, government bodies, educational institutions, and non-profits across multiple countries. This makes it one of the largest Magento-targeted attacks observed recently.
Magento, a widely used e-commerce platform, is popular for both small businesses and large enterprises. Its extensive use makes it an attractive target for cybercriminals who can exploit vulnerabilities to attack numerous websites simultaneously. This campaign demonstrated such scalability, affecting thousands of domains in a matter of weeks.
Initial Detection and Notable Victims
Researchers at Netcraft first detected the campaign on February 27, 2026, and have been monitoring its progression. Among the affected parties are prominent organizations such as Toyota, Fiat, Citroën, Asus, Diesel, Fila, Bandai, FedEx, BenQ, Yamaha, and Lindt. While most attacks targeted non-core areas like subdomains and regional storefronts, some live customer-facing sites were temporarily impacted before being secured.
The reach of the campaign extended beyond commercial entities, with defacements reported on government service domains, university websites in Latin America and Qatar, and infrastructure of international non-profits. Even domains associated with the Trump Organization were caught in the widespread attack.
Technical Details and Vulnerability Exploitation
The attackers exploited an unauthenticated file upload vulnerability in some Magento installations. This flaw allows malicious files to be uploaded to web servers without requiring credentials, providing an easy entry point for attackers. Netcraft confirmed this vulnerability by successfully uploading a test file to a Magento Community instance.
This gap affects various Magento products, including Magento Open Source, Magento Enterprise, Adobe Commerce, and the B2B module. Although Adobe issued a security bulletin for other vulnerabilities, this specific exploit was not directly addressed in those updates. The attack shares characteristics with the SessionReaper vulnerability from October 2025, which involved similar unauthorized file access.
Recommendations for Affected Organizations
Organizations using Magento are advised to immediately review their file upload endpoints, apply all available security updates, monitor for unauthorized files, and thoroughly check server configurations. With new instances of compromise still emerging, swift action is critical to mitigate further risks.
For ongoing updates and best practices in cybersecurity, follow us on Google News, LinkedIn, and X.
