CosmicSting Vulnerability Validator
Public tool for validating Magento stores against the critical CosmicSting vulnerability (CVE-2024-34102)
6,500+
Stores Scanned
2,300+
Vulnerable Stores
Magento 2 Security
CVE response guides, real-world malware analysis, and battle-tested security practices for Magento 2 and Adobe Commerce stores.
Magento security isn't optional - it's an ongoing operational responsibility. With credit card data flowing through your store and Adobe releasing quarterly patches that address critical vulnerabilities, staying on top of security requires constant attention, the right tooling, and a proactive mindset.
This resource hub covers the full spectrum of Magento 2 security: from responding to specific CVEs like CosmicSting and Session Reaper, to analysing real-world malware samples recovered from compromised stores, to building DevSecOps pipelines that catch threats before they reach production.
I've personally reported security vulnerabilities to Adobe, Amasty, Mirasvit, and Pay360 through responsible disclosure. Every guide here is informed by hands-on incident response and forensic analysis - not theoretical checklists. Whether you're a merchant wondering if your store is safe, or an engineer building defence-in-depth, you'll find actionable, production-tested guidance.
Security Articles & Analysis
CVE response guides, malware teardowns, and practical security hardening for Magento 2.
Adobe's Isolated Patch Strategy: A Community Response
Adobe's new monthly isolated patch approach for Magento creates maintenance burden. Here's how a community meta-package can help restore sanity to security patching.
Strengthening Magento 2 Security in CI/CD Pipelines with Sansec Ecomscan
Learn how to integrate Sansec Ecomscan into Magento 2 CI/CD pipelines to detect malware, enforce security patches, and secure build artifacts. Step-by-step guides for GitHub Actions and Bitbucket Pipelines included.
Check if your Magento site is safe from Session Reaper (CVE-2025-54236)
How to guide on checking if your Magento 2 store is safe from the Session Reaper (CVE-2025-54236) exploit. And guidance on how to patch and secure your site if it is not.
How to efficiently patch Magento 2 deployments at scale
Approaches to simply deploying patches across a large inventory of Magento 2 deployments
The Magento 2 Setup Endpoint is leaking your Magento Version
Have you explicitly disable the Magento 2 setup route in your web server configuration? The vast majority of sites scanned are showing this route as leaking your full Magento Version.
Magento Trojan Orders (CVE-2022-24086) - addAfterFilterCallback
Magento 2 Trojan Orders (CVE-2022-24086) are back, lets talk about how to patch so we are safe. And other identifiers aside from addAfterFilterCallback
Simple 2 line fix for Polyfill.io Malware in Magento 2
A quick and easy two line fix configuration fix for the Polyfill.io Magento 2 Malware
Check if your Magento site is safe from CosmicSting (CVE-2024-34102)
How to guide on checking if your Magento 2 store is safe from the CosmicSting (CVE-2024-34102) exploit. And guidance on how to patch and secure your site if it is not.
Anonymizing Magento 2 Databases with Warden
A simple guide for anonymizing Magento 2 databases in Warden to either pass off to other developers or move forward into staging/ephemeral environments
Analyzing a real Magento 2 Stripe CC Scraper Malware Sample
Analyzing Magento 2 Malware used to Scrape Stripe credit card credentials. Injected via the shipping policy in the core_config_data DB table.
Magento 2 Malware Scanning with Sansec Ecomscan - CLI, Automation & Bulk Scans
How to setup and configure Malware scanning with Sansec Ecomscan for a single Magento 2 site or in bulk with Ansible
Magento 2 Malware Analysis
Is 100% uptime a bad goal?
Should you aim for 100% uptime across your servers? Or instead target fluid infrastructure where short lived nodes can spawn and die as required?
Blocking TOR exit routes
How do we go about blocking TOR / Onion traffic to our site?
Security Documentation
Step-by-step guides for specific vulnerabilities, server hardening, and protective configuration.
CosmicSting (CVE-2024-34102)
Detection, validation, and remediation guide
Session Reaper (CVE-2025-54236)
Impact analysis and patching steps
Pre-Production: Robots No Index
Prevent staging environments from leaking to search engines
Nginx Rate Limiting
Protect Magento storefronts from brute-force and DDoS attacks
Replacing Polyfill.io with Nginx
Mitigate the compromised polyfill.io supply chain attack
Fail2Ban Configuration
Automated IP banning for repeated attack patterns
Security Tools & Projects
Open-source tools for vulnerability scanning, malware detection, and security automation.
Frequently Asked Questions
How do I check if my Magento store is vulnerable to CosmicSting?
Use the CosmicSting Vulnerability Validator tool or follow our CVE-2024-34102 guide to test your store. The vulnerability affects Magento 2.4.7 and below without the latest security patches applied.
What are the most common Magento security threats?
The most common threats include credit card skimming malware (Magecart), XML external entity (XXE) attacks like CosmicSting, session hijacking, and supply chain attacks via compromised third-party libraries. Regular patching, malware scanning, and WAF configuration are essential defences.
How often should I patch my Magento 2 store?
Adobe releases quarterly security patches. These should be applied as soon as possible - ideally within 1-2 weeks of release. Critical CVEs may require emergency out-of-band patching. Automated CI/CD pipelines can significantly reduce patching time.
How do I scan my Magento store for malware?
Use tools like Sansec Ecomscan for comprehensive malware detection. We recommend integrating malware scanning into your CI/CD pipeline to catch compromises before deployment. Manual analysis of payment-related JavaScript files is also advisable.
Magento security & infrastructure
I’ve worked on active security incidents, analysed malware samples, and reported vulnerabilities to Adobe and major extension vendors. Based in the UK, I’m happy to share insights or discuss security best practices with fellow developers.