"Attackers Mount Magento Supply Chain Attack by Compromising FishPig Extensions"
FishPig, a UK-based company that creates extensions for the popular Magento open-source e-commerce platform, has announced that malware was injected into its paid software offerings after its distribution server was compromised. According to Sansec researchers, the FishPig distribution server was compromised on or before August 19th. Any Magento store that installed or updated paid FishPig software since then is now likely infected with Rekoobe malware. They did not specify how the attackers gained access to the server, but they did reveal that the attackers were able to inject malicious PHP code into the Helper/License.php file, which is included in the majority of FishPig extensions. According to Ben Tideswell, the lead developer at FishPig, the attackers abused the company's custom system, which encrypts the extensions' code before making it available for download, hiding its existence from both users and malware scanners. The injected malicious code installs the Rekoobe Remote Access Trojan (RAT), which removes all malware files and runs in memory. Then it hides as a system process and waits for commands from a Latvian control server. The number of installations affected is unknown. FishPig is advising users to assume that all paid FishPig Magento 2 modules have been infected and to upgrade or reinstall existing versions from source. This article continues to discuss the Magento supply chain attack.