Cyber Incident Victim: FilaBandai

The defacement campaign began approximately three weeksbefore the article’s publication date of 7 March 2026. Netcraft reported that over 7,500 Magento sites were compromised. The attackers placed plaintext defacement files on the affected infrastructure across more than 15,000 hostnames. Most of these files contained the attacker’s handles, while a smaller fraction included political messages referencing recent geopolitical conflicts. According to Netcraft, those political messages appeared only on 7 March 2026 and were absent from earlier or later defacements. The campaign affected a range of global brands, including FilaBandai, Asus, BenQ, Citroën, Diesel, FedEx, Fiat, Lindt, Toyota, and Yamaha. Impacts were mainly observed on subdomains, regional storefronts, and staging environments, although some production‑facing sites were briefly defaced. In addition to corporate targets, regional government services, university domains in Latin America and Qatar, and several international non‑profit organizations were also hit. Domains associated with the Trump Organization were among those defaced. The defacement archive Zone‑H received the majority of reports under the account ‘Typical Idiot Security’.

Netcraft indicated that the attacker likely exploited an unauthenticated file upload vulnerability affecting Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments with Magento B2B. Sansec later disclosed a separate flaw in the Magento REST API, named PolyShell, which could allow unauthenticated upload of executables to any store. The PolyShell vulnerability impacts all Magento Open Source and Adobe Commerce versions up to 2.4.9‑alpha2. It could also be used for cross‑site scripting in versions prior to 2.3.5. The vulnerable code has been present since the initial Magento 2 release. Adobe addressed the issue in the 2.4.9 pre‑release branch as part of advisory APSB25‑94. No isolated patch exists for current production versions of the software. Sansec noted that, despite the vulnerability’s existence, active exploitation had not been observed in the wild at the time of reporting. However, the exploit method was already circulating, leading Sansec to anticipate automated attacks in the near future.

Netcraft’s report highlighted that most of the defacement incidents were logged in the Zone‑H archive using the handle ‘Typical Idiot Security’. This same handle appeared within the plaintext defacement files placed on the compromised sites. The reuse of the handle suggests the threat actor is attempting to build a reputation through the archive. No additional details regarding mitigation, patching, or remediation actions taken by affected organizations are provided in the source material. Consequently, the narrative is limited to the observed timeline, scope, technical details, and reporting activities described above.