Advanced extensions for Magento® to help your business - Welcome to Moogento!

New Magento Security Notice - You Might Already Be Infected

New Magento Security Notice - You Might Already Be Infected

TLDR - you might have malware in your site. Run your site at for a quick check.

Team Magento just released a new security notice. This one is way easier than the last supee patch to check, and in fact is likely directly related to slow-installs of previously-released patches. Technically it looks like a javascript malware hack where credit card details are sent back to a remote dodgy server.

How could this have happened?

If you were slow to install patches, have insecure passwords, or have otherwise been compromised (eg. logging in to your admin console via an insecure path on a shared network).

How to check if I'm affected?


Open up your main website 'homepage' in a browser, 'view source', and do a 'find' for 'case-insensitive' eval or regexp. If you find something, double-check if it matches this shit-list:

  • eval(atob(
  • regexp(“checkout
  • Regexp(‘checkout
  • Regexp(“onepage
  • Regexp(‘onepage
  • Regexp(“onestep
  • Regexp(‘onestep


Log into admin and check your list of admin user accounts. Disable or delete any that are old or unused. Check that everyone has a decent password (8 characters, with numbers, special characters, and small/large-caps letters).


Check, in your admin, for any dodgy code in these sections:

  • Configuration->General->Design->HTML Head->Miscellaneous Scripts
  • Configuration->General->Design->Footer->Miscellaneous HTML


Check, for these files, in both your server and server access log files:

  • /downloader/Maged/Maged.php
  • /downloader/cache.php
  • /jquery.php
  • /
  • /css.php
  • /opp.php
  • /xrc.php
  • /order.php
  • /jquerys.php
  • /var/extendware/system/licenses/encoder/mage_ajax.php
  • /js/index.php

If you find any then this is a pretty serious as you have been hacked to a degree where credit card details could have been transmitted.

What to do if I am affected? Track down the source of that bad code. You could start by :

  • changing all passwords
  • backing up the site then
  • reinstalling the same clean version over the top

I take this as a sign of a good ecosystem - we're getting warnings, fast, about security issues. You might be tempted to think that Magento must be insecure but I look at it as a sign of a healthy community with a lot of people checking for issues, and there to help when things go sour.

Test your site now, it only takes 30 seconds using the tool linked at the top.

Special Offers & News
Like what you just read? Let's stay connected - join our (free) group :

• Early access to limited specials
• Occasional news / new features / essential security updates

We don't spam.

Leave a Reply
Get our superpowered newsletter!
Exclusive specials, critical security updates, and occasional news
We don't spam.