Overview
- Sansec, which saw mass scanning begin March 19, reports attacks on 56.7% of vulnerable Magento and Adobe Commerce stores.
- The flaw stems from the REST API allowing file uploads as custom item options, which can enable remote code execution or stored XSS if the server runs uploaded polyglot files.
- The deployed skimmer uses WebRTC DataChannels over DTLS‑encrypted UDP to load payloads and send card data, which evades Content Security Policy rules and HTTP‑only monitoring tools.
- Researchers found this skimmer on a major car maker’s online store and observed a hard‑coded peer at 202.181.177[.]177 using UDP port 3479.
- Sansec published indicators and attacker IPs and urges merchants to block pub/media/custom_options/ and to scan for web shells and backdoors while waiting for a production fix.