Scanner, signatures and the largest Magento malware collection on earth
HTML PHP JavaScript Python NewLisp Click Other
Fetching latest commit…
Cannot retrieve the latest commit at this time.

Magento Malware Scanner

Magento is a profitable target for hackers. Since 2015, I have identified more than 20.000 compromised stores. In most cases, malware is inserted that will a) intercept customer data, b) divert payments or c) uses your customers for cryptojacking.

This project contains both a fast scanner to quickly find malware, and a collection of Magento malware signatures. They are recommended by Magento and used by the US Department of Homeland Security, the Magento Marketplace, Magereport, the Mage Security Council and many others.

Need help?

If you have a compromised store and are stuck, do get in touch. I am often hired to assist teams with complex breaches.

Scan your site in 30 seconds

On a standard Linux or Mac OSX server, run two commands to find infected files:

grep -Erlf mwscan.txt /path/to/magento

(if no files are shown, then nothing was found!)


Advanced scanner for sysadmins: mwscan


  1. Automatically download latest malware signatures.
  2. Incremental scans: only display hits for new files. Plus, normal scanning may use lots of server power. So only scanning new files is a great optimization.
  3. Faster scanning: using Yara is 4-20x times faster than grep.
  4. Efficient whitelisting: some extension vendors have obfuscated their code so that it looks exactly like malware. We maintain a list of bad-looking-but-good-code to save you some false alarms.
  5. Extension filtering: most of the time, it is useless to scan image files, backups etc. So the default mode for the Malware Scanner is to only scan web code documents (html, js, php).

See advanced usage.

Test coverage

Build Status

Travis-CI verifies:

  • that all samples are detected
  • all signatures match at least one sample
  • Magento releases do not trigger false positives