Hackers defaced 7,500 Magento sites since Feb 27, uploading files across 15,000 hostnames, mostly opportunistic attacks.
Since February 27, a large-scale campaign has defaced over 7,500 Magento sites, targeting e-commerce platforms, global brands, and government services. According to cybersecurity firm Netcraft, attackers placed plaintext defacement files across more than 15,000 hostnames, directly compromising affected infrastructure.
“Netcraft detected this campaign’s first activity on 27 February 2026, with newly compromised sites continuing to appear at the time of writing.” reads the report published by Netcraft. “Netcraft is tracking this campaign’s activity over 15,000+ hostnames (subdomains) within ~7,500 unique domains. Defacements were uploaded as plaintext files hosted directly on affected infrastructure.”
Defacement pages show handles like L4663R666H05T, Simsimi, Brokenpipe, and Typical Idiot Security, often with “greetz” lists typical of defacement culture.
Most defaced sites hosted simple txt files showing attacker handles, often with “greetz” lists. A few (under 10) contained brief geopolitical messages on 7 March 2026, not central to the campaign. Many pages were reported to Zone-H by “Typical Idiot Security,” suggesting the actor self-reports to gain notoriety.
EXPLORE MORE
Missing Juvenile Safaa Muhammad from the 39th District
The Philadelphia Police Department is requesting the public’s help in locating a…
Endangered Missing Person Kira Hunter from the 25th District
Endangered Missing Person Kira Hunter from the 25th District | Philadelphia Police…
U.S. CISA adds Microsoft SharePoint and Zimbra flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SharePoint and Zimbra flaws…
Bill would give Americans enlisted in Israeli army the same benefits as US soldiers
A bill introduced in the 118th Congress would grant U.S. citizens serving…
![Wanted: Suspect for Homicide in the 18th District [VIDEO]](https://thephillypi.com/wp-content/uploads/2026/05/Wanted-Suspect-for-Homicide-in-the-18th-District-VIDEO-768x512.jpg "Wanted: Suspect for Homicide in the 18th District [VIDEO]")
Wanted: Suspect for Homicide in the 18th District [VIDEO]
The Philadelphia Police Department is seeking the public’s help in identifying a…
Missing Juvenile Maryah Walker from the 24th District
The Philadelphia Police Department is requesting the public’s assistance in locating a…
Initial investigation indicates attackers may exploit unauthenticated file uploads in some Magento environments, affecting Open Source, Enterprise, and B2B editions. Netcraft researchers observed only text defacements. While Adobe released security bulletins, these do not appear directly linked. The campaign resembles the October 2025 SessionReaper attack, with successful test uploads on Magento Community 2.4.9-beta1, highlighting Magento’s widespread global use.
The campaign hit high-profile brands like Toyota, Fiat, Asus, Bandai, FedEx, and others, mostly on subdomains, staging, or regional sites, with some production sites briefly affected. The campaign hit Government and academic domains in Latin America and Qatar, and non-profits. Attackers also defaced several Trump Organization domains, likely as part of broad opportunistic exploitation rather than targeted attacks.
“Given the scale of the activity and the number of high-profile domains affected, this campaign highlights how widely deployed web platforms can become a force multiplier for attackers conducting opportunistic exploitation.” concludes the report.
