Scanner, signatures and the largest collection of Magento malware

License: GPL-3.0

Language: HTML

Keywords: cryptojacking, ecommerce, fraud-detection, infosec, magento, malware, scanner

Magento Malware Scanner

Magento is a profitable target for hackers. Since 2015, I have identified more than 40.000 compromised stores. In most cases, malware is inserted that will a) intercept customer data, b) divert payments or c) uses your customers for cryptojacking.

This project contains both a fast scanner to quickly find malware, and a collection of Magento malware signatures. They are recommended by Magento and used by the US Department of Homeland Security, the Magento Marketplace, Magereport, the Mage Security Council and many others.

Breach post-mortems

If you have a compromised store and are stuck, do get in touch.

Scan your site in 30 seconds

On a standard Linux or Mac OSX server, run two commands to find infected files:

grep -Erlf mwscan.txt /path/to/magento

(if no files are shown, then nothing was found!)


Advanced scanner for sysadmins: mwscan


  1. Automatically download latest malware signatures.
  2. Incremental scans: only display hits for new files. Plus, normal scanning may use lots of server power. So only scanning new files is a great optimization.
  3. Faster scanning: using Yara is 4-20x times faster than grep.
  4. Efficient whitelisting: some extension vendors have obfuscated their code so that it looks exactly like malware. We maintain a list of bad-looking-but-good-code to save you some false alarms.
  5. Extension filtering: most of the time, it is useless to scan image files, backups etc. So the default mode for the Malware Scanner is to only scan web code documents (html, js, php).

See advanced usage.

Test coverage

Build Status

Travis-CI verifies:

  • that all samples are detected
  • all signatures match at least one sample
  • Magento releases do not trigger false positives

Project Statistics

Sourcerank 8
Repository Size 4.86 MB
Stars 501
Forks 115
Watchers 71
Open issues 6
Dependencies 3
Contributors 33
Tags 32
Last updated
Last pushed

Top Contributors See all

Willem de Groot Jeroen Vermeulen Tim Muller Fabio Ros Floyd Hightower Mooey28 nshenfield thomasbrockmeier David Alger Gregory Roussac pmcmanaman jissereitsma Rick van de Loo Nathaniel McHugh Jonas Hünig Max Chadwick evlhomer krautface ikruchynskyi Roland Walraven

Packages Referencing this Repo

Find malware in web documents.
Latest release 20181220.165251 - Updated - 501 stars

Recent Tags See all

20181220.165251 December 20, 2018
20180510.172121 May 10, 2018
20180307.122431 March 07, 2018
20180302.141503 February 28, 2018
20180228.120927 February 28, 2018
20170601.141726 June 01, 2017
20170516.130211 June 01, 2017
20170322.194652 March 22, 2017
20170317.114028 March 17, 2017
20170208.125606 February 08, 2017
20170131.175006 January 31, 2017
20170130.144142 January 30, 2017
20170130.133048 January 30, 2017
20170127.110829 January 27, 2017
20170126.154039 January 26, 2017

Interesting Forks See all

A collection of rules and samples to detect Magento malware
HTML - GPL-3.0 - Last pushed - 2 stars
A collection of rules and samples to detect Magento malware
HTML - Updated - 2 stars

Something wrong with this page? Make a suggestion

Last synced: 2018-12-20 16:39:12 UTC

Login to resync this repository