In a significant cybersecurity incident, over 7,500 Magento sites have fallen victim to a sweeping defacement campaign, as reported by Netcraft, a digital risk protection firm. This malicious activity has unfolded over the past three weeks, targeting a broad array of online platforms.
Details of the Defacement Attacks
The attackers have strategically placed defacement files across more than 15,000 hostnames, primarily as plaintext files. While many files simply display the attackers’ handles, some contain political messages linked to recent geopolitical tensions. Interestingly, these messages only appeared briefly on March 7, 2026, suggesting political motives were not the main driver of these attacks.
Netcraft highlights that these incidents are being reported to the defacement archive Zone-H under the account ‘Typical Idiot Security.’ This handle also appears in the defacement messages, hinting at an effort by the perpetrators to establish notoriety.
Exploiting Magento Vulnerabilities
The campaign is believed to exploit an unauthenticated file upload vulnerability affecting Magento Open Source (Community Edition), Magento Enterprise, and Adobe Commerce, including deployments with Magento B2B. Netcraft draws parallels with similar exploits from October 2025, which involved the SessionReaper flaw. This vulnerability allowed the uploading of text files to test instances, underscoring the ongoing risks.
High-profile brands such as Asus, BenQ, Citroën, Diesel, and others have been impacted, with subdomains, regional storefronts, and even some production sites briefly compromised. Additionally, several government and educational domains in Latin America and Qatar, along with non-profit organizations, were targeted.
Emerging PolyShell Vulnerability
Amidst these developments, Sansec has uncovered a new vulnerability in the REST API of Magento and Adobe Commerce, dubbed PolyShell. This flaw permits unauthorized executable uploads to any store, affecting all versions up to 2.4.9-alpha2. It poses an XSS risk in versions before 2.3.5.
Sansec notes that although the vulnerable code has been present since Magento 2’s inception, Adobe has addressed it in the 2.4.9 pre-release branch. However, a dedicated patch for current versions is not yet available. While active exploitation has not been observed, Sansec warns that the exploit method is circulating, potentially leading to automated attacks in the near future.
As cybersecurity threats continue to evolve, stakeholders are urged to remain vigilant and implement necessary security measures to safeguard their digital assets.
