A widespread cyberattack campaign has compromised over 7,500 Magento-powered e-commerce websites since late February 2026. Attackers have been uploading hidden malicious files into publicly accessible web directories across thousands of domains, impacting commercial brands, government agencies, universities, and non-profit organizations globally. The broad scope of this Magento compromise, affecting over 15,000 hostnames, makes it one of the most expansive campaigns targeting this e-commerce platform in recent years.
Magento is a popular e-commerce platform used by businesses of all sizes, from small shops to large enterprises. Its widespread adoption makes it a prime target for attackers seeking to achieve broad impact with minimal effort. The current campaign demonstrates how a discovered exploitation method can be rapidly scaled, leading to thousands of unique domains falling victim within weeks.
Netcraft researchers first identified the campaign’s activity on February 27, 2026, and have been monitoring its progression. Notable organizations whose sites have been affected include global brands such as Toyota, Fiat, Citroën, Asus, Diesel, Fila, Bandai, FedEx, BenQ, Yamaha, and Lindt.
While the majority of compromises involved subdomains, staging environments, or regional storefronts rather than core production systems, some live customer-facing websites experienced brief disruptions before remediation measures were implemented. The campaign’s reach extended beyond the commercial sector to include regional government service domains, university websites in Latin America and Qatar, international non-profit infrastructure, and several domains associated with the Trump Organization, such as trumpstore.com, trumphotels.com, and booktrump.com.
Despite the high-profile nature of some affected entities, evidence suggests the targeting was indiscriminate, with vulnerable Magento infrastructure being caught in a broad sweep. The defaced pages primarily contained text files listing attacker aliases—L4663R666H05T, Simsimi, Brokenpipe, and Typical Idiot Security—along with “greetz” messages, a practice common in the defacement community to acknowledge collaborators.
A small number of defacements observed on March 7, 2026, included geopolitical messaging. Analysts concluded this was an isolated incident and not the campaign’s primary motivation, deviating from the typical pattern of activity.
How Attackers Got In: The File Upload Flaw
The attack appears to exploit an unauthenticated file upload vulnerability present in certain Magento configurations. This weakness allows attackers to write files directly to a web server without requiring any legitimate account credentials. Researchers from Netcraft confirmed this susceptibility by successfully uploading a .txt file to a test Magento instance running Magento Community 2.4.9-beta1, the platform’s latest version at the time of reporting. This indicates that even up-to-date Magento installations can remain vulnerable depending on server configurations.
The vulnerability affects Magento Open Source, Magento Enterprise, Adobe Commerce, and Adobe Commerce with the B2B module. While Adobe released a security bulletin addressing multiple Adobe Commerce vulnerabilities around this period, the specific exploit observed in this campaign does not appear to directly align with the published fixes. Security analysts have also noted similarities between this campaign and the SessionReaper Magento vulnerability from October 2025, which also involved unauthorized file access.
Many of the compromised pages were self-reported to Zone-H, a public defacement archive, by the handle “Typical Idiot Security,” an alias also found within the defacement content itself. This suggests an actor deliberately documenting their activities for recognition within the defacement community.
Organizations operating Magento-based infrastructure are strongly advised to conduct an immediate review of all exposed file upload endpoints. Applying available Adobe Commerce security updates without delay is crucial. Additionally, proactive monitoring of web directories for any unauthorized file additions and thorough investigation of any unexpected files found in publicly accessible server paths are essential. Given that new compromised sites continued to emerge at the time of writing, prompt and decisive action is paramount to mitigate further risks.