THOUSANDS of Magento sites have been hit in a mass defacement campaign that began on 27 February 2026, targeting e‑commerce platforms, global brands and government services, according to SecurityWeek. Netcraft reports that over 7,500 Magento sites were affected in the three weeks since the campaign started, with defacement files uploaded across more than 15,000 hostnames and messages appearing in plaintext files on many of them.
The attacker handles include Typical Idiot Security, a pattern that suggests the threat actor is aiming to build a reputation, and messages appeared for a single day on 7 March 2026. Netcraft says the campaign is likely exploiting an unauthenticated file upload vulnerability impacting Magento Open Source (Community Edition), Magento Enterprise/Adobe Commerce, and Adobe Commerce deployments with Magento B2B.
Related analysis notes similarities with the October 2025 SessionReaper exploits, and Sansec warns of a PolyShell vulnerability in the Magento/Adobe Commerce REST API that could allow unauthenticated uploads, though it states there has been no active exploitation observed in the wild yet.