Cyber Incident Victim: ASUSTeK Computer Inc.
Date:
Mar 2026
Location:
Taiwan
Summary
Over 7,500 Magento sites were defaced via an unauthenticated file upload flaw, with plaintext files showing the attacker’s handle “Typical Idiot Security” and brief political messages. The campaign hit subdomains and staging sites of brands including Asus, plus government, university, non‑profit and Trump Organization domains; a PolyShell flaw in the Magento REST API, present since the first Magento 2 release and patched only in the 2.4.9 pre‑release, could allow unauthenticated upload and XSS in older versions, though Sansec has not observed active exploitation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 7, 2026, Netcraft reported that over 7,500 Magento sites had been hit in a mass defacement campaign that began approximately three weeks earlier, with the campaign affecting global brands including ASUSTeK Computer Inc. The attackers placed plaintext defacement files on the compromised infrastructure, across more than 15,000 hostnames, and most of those files contained the attacker’s handle while a smaller fraction displayed political messages referencing recent geopolitical conflicts. Netcraft observed that the political messages appeared only on March 7, 2026, and were absent from earlier or later defacements, indicating they were not the primary motive of the campaign. The majority of incidents were logged in the Zone‑H defacement archive under the account ‘Typical Idiot Security’, the same handle appearing in the defacement messages, suggesting the threat actor was seeking to build a reputation.
Netcraft stated that the attacker is likely exploiting an unauthenticated file upload vulnerability affecting Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments with Magento B2B. Sansec later disclosed a related flaw, named PolyShell, in the REST API of Magento and Adobe Commerce that permits unauthenticated upload of executables to any store, impacting all Magento Open Source and Adobe Commerce versions up to 2.4.9‑alpha2 and enabling cross‑site scripting in versions prior to 2.3.5. According to Sansec, the vulnerable code has existed since the initial Magento 2 release; Adobe addressed it in the 2.4.9 pre‑release branch as part of advisory APSB25‑94, but no isolated patch is available for current production versions. Sansec noted that, while the flaw has not been observed exploited in the wild, the exploit method is already circulating and automated attacks are expected to emerge.
The defacement campaign mainly targeted subdomains, regional storefronts, and staging environments of the affected brands, although some production‑facing sites were also briefly defaced, a pattern that applied to ASUSTeK’s online properties as part of the broader list of impacted companies. In addition to commercial entities, the campaign reached regional government services, university domains in Latin America and Qatar, and various international non‑profit organizations, with several domains linked to the Trump Organization also showing defacement. As of the article’s publication date, the campaign remained ongoing, with the defacement files continuing to appear on compromised hosts and the attacker’s handle persisting in the Zone‑H reports.