PolyShell Exploit Hits Magento And Adobe Commerce Sites

Hackers are actively exploiting a newly exposed flaw dubbed PolyShell to compromise a large number of e-commerce stores running Magento and Adobe Commerce. The campaign, first detailed by threat researchers at Sansec and reported by BleepingComputer, is focused on quietly stealing payment data at checkout — the hallmark of modern web skimming attacks.

Sansec says attackers have moved quickly since disclosure, with an estimated 56% of vulnerable stores already seeing attempted intrusions. One high-profile victim cited by researchers was an online storefront of a major car manufacturer, underscoring the potential reach and business impact.

Adobe has prepared a fix in its beta channel, but many production stores are still awaiting a stable release or have not yet applied mitigations. Until patches are broadly deployed, merchants on these platforms face elevated risk during peak shopping periods and promotional cycles.

What Is PolyShell and How Attackers Steal Payment Data

PolyShell is an attack technique that lets adversaries plant a server-side skimmer within Magento and Adobe Commerce environments. Rather than relying solely on malicious JavaScript in a shopper’s browser, actors are abusing application interfaces to intercept and harvest cardholder data as it passes through the checkout process.

This approach is particularly dangerous because server-side implants can evade common client-side defenses and content security policies. It also blends into legitimate commerce workflows, making detection harder for teams who monitor only front-end code changes.

The end goal is classic Magecart-style theft: capture names, card numbers, expiration dates, and CVVs, then exfiltrate the data to attacker-controlled infrastructure for resale or further fraud.

Scope of the Attacks Across Magento and Adobe Commerce

Magento and Adobe Commerce together power tens of thousands of online stores worldwide, from boutique retailers to enterprise brands. That broad footprint gives PolyShell operators a wide target set and a high likelihood of hitting sites with varying patch cadences and defensive maturity.

Sansec’s telemetry suggests a rapid ramp: 56% of exposed environments have faced exploitation attempts since the flaw was publicized. While not every attempt leads to compromise, the volume indicates automated scanning and mass deployment of the skimmer payload.

Historically, web skimming campaigns remain durable because they profit quickly and often go unnoticed for weeks. Industry reporting, including the Verizon Data Breach Investigations Report, consistently flags web application attacks as a leading breach vector, and PolyShell fits that pattern by targeting high-value payment flows.

Adobe Response and Patch Status for the PolyShell Flaw

According to researchers, Adobe has issued a fix in its beta channel, signaling that a stable release is imminent. Organizations running production storefronts typically wait for general availability or vendor guidance before rolling out changes that might affect checkout stability.

Until the patch lands broadly, security teams are urged to track Adobe’s security bulletins, verify the integrity of core commerce modules, and monitor for unusual changes to APIs that handle checkout or payment workflows. Enterprises with staged environments should prioritize testing the beta fix to accelerate rollouts once the stable update is published.

Sansec and other threat intel groups are also sharing indicators of compromise tied to PolyShell campaigns, which can help merchants spot active infections and lateral movement attempts.

How the PolyShell Skimmer Works Inside Checkout Flows

In the PolyShell cases observed, attackers insert a skimmer through Magento’s application interfaces so that sensitive checkout fields are captured server-side. Rather than modifying visible storefront templates, the implant rides along the request path, siphoning data and forwarding it to drop servers via obfuscated payloads.

Because the implant sits behind the scenes, shoppers see a normal checkout flow and merchants may not notice traditional red flags like altered product pages. That invisibility — combined with rotating domains and timed activation — helps attackers extend dwell time and increase yield per compromised store.

What Merchants Should Do Now to Reduce PolyShell Risks

• Apply vendor patches as soon as they are generally available and track interim advisories for temporary mitigations.
• Audit checkout and payment API paths for unexpected code, configuration drift, or new callbacks. Treat unexplained changes as potential compromise.
• Monitor outbound traffic from application servers for connections to unfamiliar domains, especially around checkout events.
• Enforce least privilege for admin and API accounts, rotate credentials, and enable multifactor authentication. Limit admin access to known IPs or VPN.
• Use file integrity monitoring and runtime application self-protection to catch unauthorized modifications that evade client-side controls.

Beyond immediate triage, align with PCI DSS 4.0 requirements for e-commerce, including continuous script inventory and tamper detection. Third-party code governance remains crucial, but PolyShell shows why server-side visibility is equally important.

Guidance for Shoppers to Minimize Online Payment Risk

Consumers have limited control over server-side attacks, but a few habits reduce exposure: enable transaction alerts, use virtual or single-use cards when available, avoid storing card details in merchant accounts, and consider trusted payment wallets that tokenize card data.

If you notice unfamiliar charges after recent online purchases, contact your bank immediately and request a new card number. Banks and card networks typically absorb fraud losses, but fast reporting helps contain damage and flags compromised merchants sooner.

With PolyShell activity accelerating, the fastest path to risk reduction is straightforward: merchants patch promptly, monitor aggressively, and shoppers stay alert to anomalies. The longer the window before universal fixes, the more attractive these platforms remain to skimming crews.