PrestaShop Under Attack: What We're Seeing and How to Protect Your Store

At Turaco Labs, our ThreatView telemetry has detected a concerning spike in compromised PrestaShop websites. As of this morning, we have identified 327 hacked sites actively running payload loaders or digital skimmer malware.

This activity aligns with the recent security alert issued by PrestaShop in January 2026, warning merchants about a sophisticated campaign targeting their platform. With nearly 300,000 stores worldwide relying on PrestaShop, this ecosystem represents a high-value target for cybercriminals looking to harvest payment data at scale.

The Threat: Fake Payment Forms

According to PrestaShop's security alert, the attackers are replacing legitimate payment buttons on the order page with fraudulent buttons. When customers click on these fake buttons, they are redirected to counterfeit payment forms designed to capture their payment information.

The customer enters their credit card details into this fake form, and the data is stolen immediately. The transaction may then proceed normally through the legitimate payment processor, leaving the customer unaware that their payment information has been compromised - until fraudulent charges appear on their statement.

What PrestaShop Merchants Should Look For

PrestaShop's security alert has identified a consistent pattern of compromise.¹ If you operate a PrestaShop store, you should immediately check for the following indicators:

• Malicious Code Injection: Check for suspicious script tags injected into your active theme's _partials/head.tpl file.¹ This is the primary infection point being exploited.
• Obfuscation Techniques: Look for the atob() JavaScript function in your code, which attackers use to decode and load malicious payloads from external sources while bypassing basic security filters.¹
• Rogue Modules: Audit your installed modules for anything suspicious, particularly modules named "mloader" or "simplefilemanager" that you did not intentionally install.¹
• Suspicious Network Activity: Monitor your network logs for unusual outbound connections or data exfiltration attempts.

Why This Matters Now

For any merchant, a digital skimmer infection is a critical emergency. Beyond the immediate theft of funds, the liabilities are compounding:

• GDPR & Regulatory Fines: Under GDPR, a breach of this nature often requires reporting to authorities (such as the CNIL in France) within 72 hours. Failure to do so can result in severe fines.
• PCI Compliance: Hosting a skimmer is a direct violation of PCI DSS requirements. It can lead to forensic investigation costs, fines from card brands, and revocation of payment processing abilities.
• Customer Trust: Recovering reputation after your customers' cards are sold on the dark web is incredibly difficult.

The Broader Pattern

It is important to understand that PrestaShop is not alone. This campaign is part of a larger wave of attacks targeting eCommerce platforms. We have seen similar high-volume attacks targeting Magento and Adobe Commerce (such as the CosmicSting vulnerability CVE-2024-34102) over the last year, which compromised over 4,000 stores. The reality is that automated bots are constantly scanning the web for vulnerabilities across all major platforms.

Immediate Steps for Merchants

If you run a PrestaShop store, we urge you not to wait.

1. Scan Your Site Immediately: Use our free scanner to detect if the "mloader" or skimmer payload is active on your site.
2. Check Your Files: Manually inspect your _partials/head.tpl file for suspicious JavaScript tags.
3. Rotate Credentials: Immediately change all passwords for your back office, database, FTP, and SSH access.

Don't Delay. Each transaction processed while a skimmer is active compounds your legal, PII, and financial liabilities. Comprehensive security is no longer optional - it is a requirement for doing business online.

‍

Is Your Store Safe?

Check your site for free right now using ThreatView's scanner.

‍

SCAN YOUR SITE NOW

‍

‍