Huge numbers of web stores are facing attack from this dangerous new malware
- PolyShell vulnerability in Magento/Adobe Commerce mass exploited, hitting over half of vulnerable stores
- Attackers deploy novel WebRTC-based credit card skimmer to evade security controls
- Compromised versions targeted since March 19, including high-value ecommerce sites
PolyShell, a newly discovered vulnerability in certain Magento Open Source and Adobe Commerce installations, is now being actively used in attacks against a large number of websites, researchers are warning.
A new vulnerability has been found affecting stable version 2 installations of the abovementioned software, allowing threat actors to execute malicious code without authentication, and take over user accounts.
Adobe patched it, but the fix was only available in the second alpha release for version 2.4.9, meaning production versions remained vulnerable.
Article continues below
Targeting a $100 billion company
At the time, security researchers Sansec advised website admins to restrict access to pub/media/custom_options/ folders, verify that nginx or Apache rules prevent the access, and scan stores for uploaded malware and backdoors.
They also said that at first, there was no evidence of abuse in the wild, but stressed that an exploit method was “circulating already”.
Now, it appears that the predictions were true, as Sansec says more than half of all vulnerable stores are being targeted.
“Mass exploitation of PolyShell started on March 19th, and Sansec has now found PolyShell attacks on 56.7% of all vulnerable stores,” Sansec said, without giving a raw number of targeted sites.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In some of the attacks, threat actors would deploy a credit card skimmer that was not seen before. This skimmer apparently uses Web Real-Time Communication (WebRTC) to exfiltrate data, which is a rather novel approach. As BleepingComputer explained, WebRTC uses DTLS-encrypted UDP rather than HTTP, making it better at evading security controls “even on sites with strict Content Security Policy (CSP) controls like ‘connect-src.’”
The skimmer was built in JavaScript and connects to a hardcoded C2 server, from which it receives a second-stage payload. It was first spotted on an ecommerce website belonging to a carmaker valued at over $100 billion.
Via BleepingComputer

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
PolyShell vulnerability in Magento/Adobe Commerce mass exploited, hitting over half of vulnerable stores Attackers deploy novel WebRTC-based credit card skimmer to evade security controls Compromised versions targeted since March 19, including high-value ecommerce sites PolyShell, a newly discovered vulnerability in certain Magento Open Source and Adobe Commerce installations, is now…
Recent Posts
- The FBI reportedly won’t investigate ICE anymore
- How to watch World Cup Final 2026: Free Streams, TV Channels & Kick-Off time for Spain vs Argentina
- Infrared tech is decades old – why does almost every TV remote use it?
- Orchid is a delightfully retro and approachable hipster synth
- Birdfy’s solar-powered smart feeder is down to one of its best prices
Archives
- July 2026
- June 2026
- May 2026
- April 2026
- March 2026
- February 2026
- January 2026
- December 2025
- November 2025
- October 2025
- September 2025
- August 2025
- July 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023