Cyber Incident Victim: Trump Organization
Date:
Mar 2026
Location:
United States of America
Summary
Thousands ofMagento sites were defaced in a campaign that deployed plaintext files containing attacker handles and occasional political messages, with the defacements reported to Zone‑H under the handle Typical Idiot Security. The attackers exploited an unauthenticated file upload flaw in Magento Open Source, Adobe Commerce and related B2B extensions, a vulnerability known as PolyShell that affects all versions up to 2.4.9‑alpha2 and has existed since the first Magento 2 release. While Adobe fixed the issue in a pre‑release branch, no isolated patch is available for current production versions, and Sansec has not observed active exploitation in the wild. The campaign hit global brands such as Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota and Yamaha, as well as regional government services, university domains in Latin America and Qatar, non‑profit organizations, and several domains associated with the Trump Organization.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The defacement campaign began approximately three weeks before the article’s publication date of March 7 2026, placing its start around mid‑February 2026. Over 7,500 Magento sites were compromised, with defacement files placed on more than 15,000 hostnames. The attackers uploaded plaintext files that primarily displayed their handles, while a smaller subset included political messages referencing recent geopolitical conflicts. Those political messages were visible only on March 7 2026 and did not appear in earlier or later defacements, indicating they were not the main motive. Most incidents were logged to the defacement archive Zone‑H under the account “Typical Idiot Security,” which matches the handle seen in the defacement files, suggesting the actor was seeking reputation. Several domains associated with the Trump Organization were among the victims of this widespread defacement.
Netcraft identified the likely entry point as an unauthenticated file upload vulnerability affecting Magento Open Source (Community Edition), Magento Enterprise / Adobe Commerce, and Adobe Commerce deployments with Magento B2B. Sansec later disclosed a related flaw in the Magento REST API, naming it PolyShell, which allows unauthenticated upload of executables to any store. The PolyShell vulnerability impacts all Magento Open Source and Adobe Commerce versions up to 2.4.9‑alpha2 and can be used for cross‑site scripting in releases prior to version 2.3.5. The vulnerable code has been present since the initial Magento 2 release; Adobe addressed it in the 2.4.9 pre‑release branch as part of advisory APSB25‑94, but no standalone patch exists for current production versions. As of the reporting date, Sansec had not observed active exploitation of PolyShell in the wild, though the exploit code was circulating and automated attacks were anticipated.
The defacement of Trump Organization domains followed the same pattern observed across other targets, affecting subdomains, regional storefronts, and staging environments, with a few production‑facing sites briefly showing the attacker’s files. Like the compromised sites of Asus, BenQ, Citroën, Diesel, FedEx, Fiat, FilaBandai, Lindt, Toyota, Yamaha, governmental bodies, universities in Latin America and Qatar, and various non‑profits, the Trump Organization’s assets displayed the attacker’s handles and, on March 7, the transient political messages. The incident contributed to the overall count of more than 7,500 defaced Magento sites and highlighted the broad reach of the unauthenticated upload flaw across diverse sectors. Netcraft’s reporting and the subsequent disclosure by Sansec brought the vulnerability to public attention, prompting awareness among administrators of Magento‑based platforms.