Over 7,500 Magento sites have fallen victim to a large-scale defacement campaign that began three weeks ago, according to reports from a digital risk protection platform.

The attackers directly uploaded defacement files onto the affected infrastructure, resulting in plaintext files being distributed across more than 15,000 hostnames.

While most of the text files contain the handles of the attackers, a small portion includes political messages linked to recent geopolitical tensions. These messages were observed only for a single day, March 7, 2026, indicating that they were not the primary aim of the campaign.

As noted by the security firm, the majority of the incidents were reported to a defacement archive using the account name ‘Typical Idiot Security’, which is also featured in the defacement messages. This suggests that the attackers are attempting to establish a reputation within the cybercriminal community.

According to the risk protection platform, the attackers likely exploited an unauthenticated file upload vulnerability affecting multiple Magento versions, including Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments with Magento B2B.

There are notable similarities to previous attacks in October 2025 that exploited the SessionReaper flaw, with the latest campaign successfully allowing the upload of a text file to a test instance of Magento Community.

This defacement campaign has affected a range of global brands, including Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha. The attacks primarily targeted subdomains, regional storefronts, and staging environments, although some production-facing sites were also briefly defaced.

In addition to corporate sites, several regional government services, university domains in Latin America and Qatar, and international non-profit organizations were impacted. Notably, several domains associated with the Trump Organization also experienced defacements.

New Vulnerability: PolyShell

As news of the defacement campaign emerged, another security firm reported a new vulnerability in the REST API of Magento and Adobe Commerce. This flaw could potentially be exploited to upload executables to any store without authentication.

The vulnerability affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2, and it could lead to Cross-Site Scripting (XSS) attacks in all versions prior to 2.3.5. The vulnerable code has been present since the initial release of Magento 2. Adobe has addressed the issue in the 2.4.9 pre-release branch but has not provided an isolated patch for current production versions.

The cybersecurity firm that identified this vulnerability, dubbed PolyShell, noted that many sites are exposing files in their upload directory; however, there have been no indications of this flaw being exploited in the wild thus far.

“We have not observed any active exploitation so far. However, the method of exploitation is already circulating, and we expect automated attacks to emerge soon,” the security firm stated.

Related Security Threats:

In recent weeks, there have been several other security threats, including a campaign targeting VPN users for credential theft, data theft campaigns affecting hundreds of Salesforce customers, and cloned AI tool sites distributing malware.

Source: SecurityWeek News