Cyber Incident Victim: FedEx

Over three weeks before March 7 2026, a mass defacement campaign began targeting Magento‑based websites, ultimately affecting more than 7,500 sites and more than 15,000 hostnames. The attackers placed plaintext defacement files directly on the compromised infrastructure, with most files displaying the handle “Typical Idiot Security” and a smaller subset containing political messages that appeared only on March 7 2026. Among the global brands impacted were Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, and Yamaha, with the compromises primarily hitting subdomains, regional storefronts, and staging environments, although a few production‑facing sites were also briefly defaced. Additional victims included regional government services, university domains in Latin America and Qatar, international non‑profit organizations, and several domains associated with the Trump Organization. The security firm Netcraft noted that the majority of incidents were reported to the defacement archive Zone‑H under the account “Typical Idiot Security,” suggesting the threat actor was attempting to build a reputation.

Netcraft attributed the campaign to the likely exploitation of an unauthenticated file upload vulnerability affecting Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments with Magento B2B. Concurrently, Sansec disclosed a newly identified flaw in the Magento and Adobe Commerce REST API, which they named PolyShell, that could be used to upload executables without authentication. The vulnerability impacts all Magento Open Source and Adobe Commerce versions up to 2.4.9‑alpha2 and could be leveraged for cross‑site scripting in releases prior to 2.3.5. According to Sansec, the vulnerable code has existed since the initial Magento 2 release, Adobe addressed it in the 2.4.9 pre‑release branch as part of advisory APSB25‑94, but no isolated patch is currently available for production versions. Sansec further stated that, while they have not observed active exploitation of PolyShell in the wild, the exploit method is already circulating and they anticipate automated attacks to emerge soon.

Incidents were logged in the Zone‑H defacement archive using the “Typical Idiot Security” account, the same handle appearing in the defacement files, indicating an effort by the attacker to gain notoriety. The campaign’s reach extended beyond commercial entities to include public sector and nonprofit targets, underscoring the broad scope of the vulnerability’s impact. No specific mitigation or response actions taken by FedEx or other victims are detailed in the source material, and the narrative is limited to the confirmed facts of the attack timeline, the systems affected, the attacker’s methods as described by Netcraft and Sansec, and the reporting observations from security monitoring services.