Over 7,500 Magento Sites Compromised in Mass Defacement Campaign

An ongoing mass defacement campaign that began on February 27, 2026, has affected over 7,500 Magento sites encompassing more than 15,000 hostnames. The attacks involve deploying plaintext defacement files, sometimes including political messages, directly onto affected infrastructure. The attacker, possibly operating under the handle 'Typical Idiot Security,' is believed to be exploiting an unauthenticated file upload vulnerability present in Magento Open Source (Community Edition), Magento Enterprise/Adobe Commerce, and Adobe Commerce deployments with Magento B2B. The campaign has impacted global brands, government services, and university domains, with some production sites briefly defaced. Another vulnerability, dubbed PolyShell, was reported in Magento and Adobe Commerce's REST API, allowing unauthenticated executable uploads and potentially remote code execution and account takeover. Organizations running Magento should immediately apply all available security patches, implement web application firewalls (WAF), restrict file upload capabilities, and conduct thorough security audits of their e-commerce platforms.