A widespread defacement campaign has impacted over 7,500 Magento sites, according to reports from a digital risk protection platform.

The campaign, which began three weeks ago, has seen threat actors deploying defacement files directly onto affected infrastructures in plaintext format across more than 15,000 hostnames.

Many of the text files observed contain handles of the attackers, while a smaller number feature political messages related to recent geopolitical conflicts.

According to the report, these political messages were only visible for a single day, specifically on March 7, 2026, and were not present in either earlier or later defacements. This indicates that these political references were not the primary motivation behind the campaign.

Most of the incidents have been reported to a defacement archive using the account name ‘Typical Idiot Security,’ which is also the handle found in the defacement messages. This suggests an intent by the threat actors to build a reputation within the cybercriminal community.

Further analysis indicates that the attackers are likely exploiting an unauthenticated file upload vulnerability that affects Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments with Magento B2B capabilities.

Similarities have been noted between this campaign and previous attacks from October 2025 that exploited a flaw known as SessionReaper. The security platform was able to exploit the latest version of Magento Community to upload a text file to a test instance.

The defacement campaign has affected numerous global brands, including Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha. The attacks primarily targeted subdomains, regional storefronts, and staging environments, although some production-facing sites were also defaced for a brief period.

In addition to corporate entities, several regional government services, universities in Latin America and Qatar, and international non-profit organizations have fallen victim. Notably, various domains associated with the Trump Organization have also been targeted.

PolyShell Vulnerability

The news of this extensive defacement campaign coincides with reports of a new vulnerability in the REST API of Magento and Adobe Commerce. This flaw could permit the upload of executable files to any store without requiring authentication.

The vulnerability impacts all versions of Magento Open Source and Adobe Commerce up to 2.4.9-alpha2, and poses a risk for XSS attacks in all versions prior to 2.3.5.

This vulnerable code has reportedly existed since the initial release of Magento 2. Adobe has addressed it in the pre-release branch of 2.4.9 as part of a patch, but no isolated patch is available for current production versions.

The security firm has named this vulnerability PolyShell, noting that many sites expose files in their upload directories. However, there is currently no indication that this flaw has been actively exploited in the wild.

While no active exploitation has been observed, the method of exploitation is already circulating, raising concerns that automated attacks may soon emerge.

Related Topics: Ongoing threats include credential theft campaigns targeting VPN users, data theft incidents affecting Salesforce customers, and malware distribution from cloned AI tool sites.

In conclusion, the ongoing defacement campaign underscores the critical need for website owners using Magento to ensure their systems are secure and up-to-date to prevent such vulnerabilities from being exploited.

Source: SecurityWeek News