In a significant security breach, over 7,500 Magento websites have been targeted in a widespread defacement campaign that began approximately three weeks ago, according to reports from digital risk protection services.

The attacks involved the deployment of defacement files directly onto the affected infrastructures, which were found in the form of plaintext files across more than 15,000 hostnames. These files typically included the handles of the attackers, with a smaller subset containing politically charged messages linked to recent geopolitical events.

Netcraft, a security firm investigating the incidents, noted that these political messages were only visible for a brief period on March 7, 2026, and were absent in both prior and subsequent defacements, indicating that they were not the central aim of the campaign.

Most of the reported incidents were logged in the defacement archive by an account named 'Typical Idiot Security', which also appeared in the defacement messages. This suggests that the attackers are attempting to establish a notable presence in the cyber threat landscape.

According to the findings, it appears that the threat actors are exploiting an unauthenticated file upload vulnerability present in various versions of Magento, including Open Source (Community Edition), Magento Enterprise/Adobe Commerce, and Adobe Commerce with Magento B2B. Similarities have been drawn between this campaign and previous attacks from October 2025 that exploited the SessionReaper vulnerability, and testing confirmed that the latest Magento Community version could be compromised to upload text files to a test instance.

Global brands, including Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha, have been affected, particularly in their subdomains, regional storefronts, and staging environments, though some production-facing sites were also briefly defaced. Additionally, several regional government services, universities in Latin America and Qatar, as well as international non-profit organizations, saw disruptions, with multiple domains linked to the Trump Organization also being defaced.

Emergence of the PolyShell Vulnerability

The news of this extensive defacement campaign coincided with the reporting of a new vulnerability in the REST API of Magento and Adobe Commerce. This flaw could allow attackers to upload executable files to any store without requiring authentication.

The vulnerability, which affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2, poses risks for cross-site scripting (XSS) in all versions prior to 2.3.5. The vulnerable code has been present since the initial release of Magento 2, and although Adobe has addressed the issue in the 2.4.9 pre-release branch, no standalone patch is available for the current production versions.

Sansec, the cybersecurity firm that identified this vulnerability, named it PolyShell. Many sites are reportedly exposing files within the upload directory, but there have been no confirmed cases of exploitation in the wild so far.

Sansec has not yet observed active exploitation of the PolyShell vulnerability, but the methodology for exploitation is already circulating among threat actors, leading to expectations of automated attacks in the near future.

Related Articles: Threat actors are also targeting VPN users in a new credential theft campaign, while hundreds of Salesforce customers have allegedly been targeted in a recent data theft operation. Additionally, cloned AI tool sites are distributing malware in an ‘InstallFix’ campaign, and LastPass has issued warnings regarding a new phishing campaign.

Source: SecurityWeek News