Hackers Compromise 7,500+ Magento Websites in Large-Scale Campaign

What happened

A large-scale cyberattack campaign compromised more than 7,500 Magento-powered websites since late February 2026, with attackers uploading hidden malicious or defacement files into publicly accessible directories across affected servers. The activity spread across more than 15,000 hostnames, impacting e-commerce stores, global brands, government services, and other organizations worldwide. Researchers observed attackers gaining unauthorized access and deploying files directly onto vulnerable infrastructure, with many incidents appearing opportunistic and driven by automated scanning and exploitation of weak configurations or unpatched systems. 

Who is affected

Organizations running Magento (Adobe Commerce) platforms are affected, including e-commerce businesses, enterprises, and public-sector sites whose infrastructure was exposed or improperly secured. 

Why CISOs should care

The campaign highlights how attackers are increasingly using automated techniques to exploit common weaknesses at scale, enabling mass compromise of widely used platforms and creating risk for data theft, defacement, and further intrusion. 

3 practical actions

1. Patch and update Magento systems. Ensure all instances are running supported and fully updated versions. 
2. Restrict access to public directories. Limit exposure of upload paths and sensitive directories to prevent unauthorized file placement. 
3. Monitor for malicious file uploads. Detect unexpected files or changes in web directories that may indicate compromise. 

The campaign comes as researchers recently disclosed the PolyShell vulnerability in Magento, which could enable unauthorized file uploads and system compromise if left unpatched.