Over 7,500 Magento sites have been compromised in a widespread defacement campaign that began three weeks ago, as reported by a digital risk protection platform.

The campaign has seen threat actors deploy defacement files directly onto the affected servers, manifested as plaintext files across more than 15,000 hostnames.

Many of the text files released by the attackers feature handles associated with the hackers, while a smaller portion contains political messages referencing recent geopolitical events.

According to reports, these political messages only appeared for a single day, specifically on March 7, 2026, and were not present in other defacements, indicating that political motives may not be the primary objective of the campaign.

The security platform notes that most incidents were reported to a defacement archive using the account name ‘Typical Idiot Security’, which coincides with the handles found in the defacement messages, suggesting that the attackers aim to establish their reputation.

Investigation reveals that the attackers are likely exploiting an unauthenticated file upload vulnerability affecting Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments that include Magento B2B.

Similarities have been noted with prior attacks from October 2025 that exploited the SessionReaper flaw. The security team was able to replicate the vulnerability in the latest version of Magento Community, successfully uploading a text file to a test instance.

The campaign has impacted several prominent global brands including Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha. The attackers primarily targeted subdomains, regional storefronts, and staging environments, although some production sites also faced brief defacements.

In addition to these brands, various regional government services, university domains in Latin America and Qatar, as well as international non-profit organizations, have also been affected, including domains associated with the Trump Organization.

PolyShell Vulnerability

The news of this defacement campaign coincides with a report from a cybersecurity firm detailing a new vulnerability in the REST API of Magento and Adobe Commerce that could allow attackers to upload executables to any store without authentication.

This vulnerability affects all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2, and poses risks for cross-site scripting (XSS) in earlier versions before 2.3.5.

According to the firm, the flawed code has been present since the initial release of Magento 2. Adobe addressed it in the 2.4.9 pre-release branch as part of a security advisory, but no isolated patch is available for current production versions.

Named PolyShell by the cybersecurity firm, this vulnerability allows many sites to expose files in their upload directories. However, there have been no confirmed reports of this flaw being actively exploited in the wild.

Despite this, the firm indicates that while they have not detected active exploitation yet, the method for exploiting this vulnerability is already in circulation, and automated attacks are anticipated to emerge soon.

Related: Threat Actor Targeting VPN Users in New Credential Theft Campaign

Related: Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign

Related: Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign

Related: LastPass Warns of New Phishing Campaign

Source: SecurityWeek News