Please complete the form to apply for a free scan account.
We'll get back to you as soon as possible.
Turaco Labs needs the information provided to contact you about our services.
Tags:
Our ThreatView telemetry is showing a clear and troubling trend: attacks against PrestaShop stores are increasing, not fading.
In February 2026, we detected 327 compromised PrestaShop websites running card-harvesting malware loaders or digital skimmer malware. By the beginning of June 2026, that number had risen to 1,068. This is an active, expanding campaign affecting a growing number of merchants.
What makes this especially concerning is that the malware profile is broadening. Early coverage focused heavily on digital skimmers and payment theft, and that remains a serious risk. But what we are now detecting includes crypto miners, adware, malware droppers, payload loaders, and card-harvesting malware. In other words, once attackers gain access, they are not relying on one monetisation path. They are using the same compromised estate in multiple ways.
This aligns with the official warning issued by PrestaShop, which instructs merchants to check for skimmer-related script injection in the active theme’s _partials/head.tpl file, inspect for obfuscated JavaScript using atob() , and review suspicious modules such as mloader and simplefilemanager . These are not theoretical indicators. They are practical signs that a store may already be compromised.
The danger here is not only technical. It is commercial, operational, and regulatory. A compromised checkout can continue processing orders while silently stealing payment data in parallel. From the shopper’s perspective, the purchase appears to complete normally. From the merchant’s perspective, the breach may remain invisible until chargebacks, breach handling, or acquirer scrutiny begin.
That invisibility is one of the biggest reasons this issue deserves urgent attention. Targeted PrestaShop malware is increasingly designed to evade casual checking. Foregenix has shown how more recent PrestaShop malware can be device-aware and selectively activate for mobile users while remaining dormant during desktop checks. A merchant can inspect their own site and see a clean checkout while customers are being targeted under different conditions.
This is why delay is costly. Every compromised transaction compounds the problem. The longer malicious code remains active, the greater the exposure to stolen payment data, personally identifiable information, regulatory reporting obligations, card-brand or acquirer intervention, chargebacks, customer remediation, and reputational damage. Under GDPR, merchants may also have to assess whether personal data has been exfiltrated and report notifiable breaches without undue delay, and in many cases within 72 hours of becoming aware of them.
It is also important to place this in the wider eCommerce security pattern. PrestaShop is the latest platform under pressure, but it is not the first. Adobe Commerce and Magento have also seen repeated exploitation and skimming activity over recent years, including large-scale campaigns that rapidly spread once a weakness becomes known. The pattern is clear: attackers build repeatable playbooks around high-value eCommerce platforms and reuse them at scale.
So what should a PrestaShop merchant do now?
That means inspecting the active theme’s _partials/head.tpl , looking for suspicious script tags and atob() obfuscation, reviewing installed modules for anything unexpected - especially mloader or simplefilemanager - and checking logs for suspicious outbound activity or evidence of data exfiltration. If you find any of these signs, treat it as a live incident.
Bear in mind that we are a few months beyond the guidance provided by PrestaShop - and the malware being deployed is evolving, so spread your search wider.
PrestaShop specifically advises merchants to change back-office, database, FTP, and SSH passwords and ensure configuration files are updated accordingly. That should be paired with a broader review for persistence mechanisms, hidden backdoors, and secondary malware, especially now that the threat set is expanding beyond skimming into droppers, miners, and adware.[help-center.prestashop]
The current threat environment requires continuous monitoring and external visibility. If your store is already compromised, discovering it through fraud reports or a bank investigation is the worst possible route.
That is why we are encouraging every PrestaShop merchant to take an immediate first step with the free ThreatView scanner: ThreatView free scanner.
The free scanner is a fast - and free - way to check whether your site is showing visible signs of compromise. But given the direction of travel - 327 hacked sites in February, 1,068 by early June, and malware activity broadening beyond skimming - merchants running PrestaShop should be thinking in terms of comprehensive security, not just external spot checks.
ThreatView Advanced is designed for that wider requirement: continuous monitoring, threat detection, and faster visibility when something changes. Get in touch if you would like to check your site using ThreatView Advanced - we are providing PrestaShop users a reduced cost licence to get secured.
If you run PrestaShop, don’t wait. The attack is growing, and every day of delay can increase your legal, financial, and customer-impact exposure.
Over the last three months, the digital skimmer landscape has changed noticeably. Based on the latest ThreatView charts, Magento 2 remains the most targeted platform, but the biggest movement is elsewhere: Shopify has risen sharply and now appears to be the second most targeted platform for digital skimmers.
A practical guide for Magento and Adobe Commerce merchants dealing with PolyShell: what it is, how to detect compromise, how ThreatView helps, and what to do next.
At Turaco Labs, our ThreatView telemetry has detected a concerning spike in compromised PrestaShop websites. As of this morning, we have identified 327 hacked sites actively running payload loaders or digital skimmer malware.
