Over 7,500 Magento sites have fallen victim to a widespread defacement campaign that began three weeks ago, as reported by digital risk protection platform Netcraft.

The attacks have involved the deployment of defacement files directly onto the affected servers, manifested as plaintext files distributed across more than 15,000 hostnames.

Many of these text files feature the handles of the attackers, while a minority contain political messages alluding to recent geopolitical issues.

According to Netcraft, these political messages were only visible for a single day on March 7, 2026, and were absent in both prior and subsequent defacements, indicating that political commentary may not have been the primary objective of the campaign.

The security firm noted that most incidents were reported to the defacement archive Zone-H under the account 'Typical Idiot Security', which also appears in the defacement messages. This suggests that the threat actor is attempting to establish a reputation.

Netcraft suspects that the attackers are exploiting an unauthenticated file upload vulnerability affecting Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments with Magento B2B.

Similarities have been observed between this campaign and the attacks from October 2025 that leveraged the SessionReaper flaw, with Netcraft successfully exploiting the latest Magento Community version to upload a text file to a test instance.

The campaign has impacted well-known global brands such as Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha. The majority of affected sites were subdomains, regional storefronts, and staging environments, although some production-facing sites experienced brief defacements.

Regional government services, university domains in Latin America and Qatar, as well as international non-profit organizations were also among those affected. Notably, several domains associated with the Trump Organization were defaced as well.

New Vulnerability: PolyShell

The news of this defacement campaign coincides with a report from Sansec detailing a new flaw in the REST API of Magento and Adobe Commerce, which could potentially allow attackers to upload executable files to any store without authentication.

This vulnerability impacts all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2 and could be exploited for XSS in all versions prior to 2.3.5.

Sansec notes that this vulnerable code has existed since the initial release of Magento 2. Adobe has addressed it in the 2.4.9 pre-release branch as part of APSB25-94; however, no isolated patch is available for current production versions.

Sansec has dubbed the vulnerability PolyShell, indicating that many sites may inadvertently expose files in the upload directory. However, it appears that this flaw has not yet been actively exploited in the wild.

“Sansec has not observed any active exploitation so far. Nonetheless, the method of exploiting this vulnerability is already circulating, and Sansec anticipates that automated attacks will emerge soon,” the cybersecurity firm warns.

Related Threats: Threat actors are also targeting VPN users in a new credential theft campaign, while hundreds of Salesforce customers have reportedly been targeted in a separate data theft effort. Additionally, cloned AI tool sites are distributing malware in an 'InstallFix' campaign, and LastPass has issued warnings regarding a new phishing campaign.

Source: SecurityWeek News