PolyShell Attacks Target 56 % of All Vulnerable Magento Stores

PolyShell Attacks Target 56% of All Vulnerable Magento Stores

A wave of exploits targeting a critical PolyShell flaw in Magento Open Source and Adobe Commerce installations is sweeping the e-commerce landscape, affecting more than half of the stores believed to be vulnerable. Security researchers from Sansec reported that mass exploitation began on March 19, 2026, a mere two days after public disclosure of the vulnerability. In their latest observations, Sansec noted that attacks were present on approximately 56.7% of stores deemed vulnerable, signaling a rapid and broad-scale campaign that shows no immediate signs of fading.

At the technical core, the problem centers on Magento’s REST API, which accepts file uploads as part of the cart item’s custom options. This design, when coupled with permissive server configurations, enables attackers to upload polyglot files (files that combine multiple data types) that can be coerced into remote code execution or mounted cross-site scripting (XSS) attacks stored on the target site. In practical terms, a malicious actor could leverage these uploads to gain control over the hosting environment or to compromise user sessions, with the potential ripple effects spanning merchant data, payment flows, and customer trust.

Adobe responded to the vulnerability by releasing a fix in 2.4.9-beta1 on March 10, 2026. However, this update has not yet made it into the stable production branch for most users. Attempts to obtain a production ETA from Adobe have not yielded a public response, leaving organizations still running on vulnerable configurations exposed to ongoing attacks until a stable release is broadly deployed.

To aid defense efforts, Sansec has published an IP address list that highlights active scanning and exploitation attempts targeting Magento stores vulnerable to PolyShell. This live feed provides researchers and administrators with a way to monitor emerging activity and to correlate it with observed compromise patterns across different environments. The distribution of these scans underscores the scale of the campaign and the speed with which threat actors are scanning and attempting exploitation across the ecosystem.

Beyond the PolyShell vector, Sansec has identified a second, related line of activity involving a novel payment card skimmer that uses Web Real-Time Communication (WebRTC) to exfiltrate data. WebRTC relies on DTLS-encrypted UDP rather than standard HTTP traffic, which makes detection harder for some security controls, including those enforcing strict Content Security Policy (CSP) rules such as connect-src. The skimmer is implemented as a lightweight JavaScript loader that connects to a hardcoded command-and-control server via WebRTC, bypassing normal signaling through a forged session description exchange. A second-stage payload is delivered through the encrypted channel and executed while evading CSP defenses by reusing an existing script nonce or by resorting to unsafe-eval or direct script injection. To reduce the chance of quick detection, the payload’s execution is delayed using the browser’s requestIdleCallback mechanism.

Sansec’s researchers also noted that the WebRTC-based skimmer has appeared on a high-profile e-commerce site belonging to a carmaker valued at more than a hundred billion dollars. The incident illustrates how even very large, well-resourced brands can be affected by sophisticated exfiltration techniques that operate under the radar of standard security controls. In response, Sansec published indicators of compromise to help defenders identify and mitigate these threats in a timely manner, highlighting the ongoing need for vigilant monitoring of storefront scripts, unusual upload paths, and anomalous network behavior that may indicate a breach or skimming activity.

In a broader context, the Red Report 2026 adds another dimension to the evolving threat landscape by examining how modern malware employs mathematical techniques to detect sandbox environments and blend into normal traffic. The report emphasizes that cyber threats are increasingly crafted to appear legitimate, encrypt their payloads, and operate under the radar of conventional security tooling. The trend suggests a shift toward stealthier exfiltration and more resilient persistence mechanisms, reinforcing the idea that security teams must adopt holistic monitoring across application layers, network behavior, and data flows to stay ahead of adversaries.

Taken together, these developments illuminate a challenging and dynamic environment for Magento-based stores and similar e-commerce platforms. The PolyShell campaign demonstrates the practical consequences of a misconfigured REST API and the real-world impact of deploying a patch in a beta state without timely production deployment. The WebRTC-based skimmer illustrates how attackers continue to push the boundaries of data theft, exploiting newer communication channels to bypass traditional defenses. For administrators overseeing online storefronts, the current landscape emphasizes the importance of timely patching, continuous monitoring for unusual upload patterns, vigilant review of third-party scripts, and a willingness to adapt defenses as threat actors pursue broader reach and greater stealth. The confluence of a high-stakes supply chain, valuable customer data, and increasingly sophisticated exploitation techniques makes the task of safeguarding online commerce both urgent and intricate.