Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has exposed a sophisticated supply chain attack that compromised 21 popular e-commerce applications, giving hackers full control over hundreds of online stores.

The campaign, which began with the injection of backdoors as early as six years ago, was only activated this week, affecting vendors like Tigren, Meetanshi, MGS (Magesolution), and potentially Weltpixel.Sansec estimates that 500 to 1,000 stores are currently running compromised software—including one linked to a $40 billion multinational retailer. The earliest signs of active exploitation date back to April 20, 2025.

Coordinated Supply Chain Hack

This attack involved breaching vendor servers and embedding backdoors into downloadable packages between 2019 and 2022. Once installed, these backdoors gave hackers access to the stores—and by extension, to customer data.

Affected modules include:

Tigren: Ajaxsuite, Ajaxcart, Ajaxlogin
Meetanshi: ImageClean, CookieNotice
MGS: Lookbook, GDPR modules
Weltpixel: GoogleTagManager extension (investigation ongoing)

Technical Details

The malicious code hides in a fake license validation system within License.php or LicenseApi.php. A vulnerable function, adminLoadLicense, executes attacker-controlled code via a $licenseFile variable, enabling remote code execution.

Earlier versions required no authentication, while later ones use static secret keys (SECURE_KEY, SIGN_KEY) that are still vulnerable. The attack is triggered through registration.php, which loads the malicious license check if present.

Backdoor paths and filenames vary by vendor—e.g., mtn-license (Meetanshi) and apj-license (Tigren).

What Store Owners Should Do

Sansec strongly recommends:

Checking for suspicious license files
Reviewing server logs for unauthorized access

This incident highlights the severe risk of supply chain vulnerabilities—where a single compromise at the vendor level can endanger an entire business ecosystem.

As investigations continue, this serves as a clear reminder: regular security audits, code reviews, and better software vetting are essential to defend against long-dormant, deeply embedded threats.