# deployecommerce/module-trojan-order-prevent > A Magento2 extension that prevents billing/shipping addresses being saved via the API with known trojan order strings. `composer require deployecommerce/module-trojan-order-prevent` Canonical URL: https://packagento.com/deployecommerce/module-trojan-order-prevent ## At a glance - **Vendor**: deployecommerce (https://packagento.com/deployecommerce.md) - **Latest version**: 1.0.4 — released 2024-08-15 - **Pricing**: Free - **Package type**: Magento 2 module - **Status**: active, accepting new buyers ## Installation Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them. 1. **Sign in or create an account** at https://packagento.com/customer/account/. 2. **Add the package to your account.** Open https://packagento.com/deployecommerce/module-trojan-order-prevent and complete the free checkout. A licence is minted automatically. 3. **Create or pick a project, then activate the licence on it.** - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/. - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project. 4. **Add the project credentials to your Magento codebase.** Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`: ```json { "http-basic": { "packagento.com": { "username": "ppk_live_...", "password": "psk_live_..." } } } ``` Add the Packagento Composer repository to `composer.json`: ```json { "repositories": [ { "type": "composer", "url": "https://packagento.com" } ] } ``` 5. **Install and apply.** ```bash composer require deployecommerce/module-trojan-order-prevent:* bin/magento setup:upgrade bin/magento setup:di:compile bin/magento cache:flush ``` ## What it does A Magento2 extension that prevents billing/shipping addresses being saved via the API with known trojan order strings. ## README This is a Magento 2 extension that prevents billing/shipping addresses being saved via the API with known trojan order strings. This is *not a fix* for CVE-2022-24086 but an additional layer of protection for merchants. Although patched in most recent Magento versions we still see probes for this which look rather unsightly for merchants in the orders screen of Magento. This module adds two plugins to the `Magento\Quote\Api\BillingAddressManagementInterface` and the `Magento\Quote\Model\ShippingAddressManagementInterface` to prevent the saving of addresses with the following strings: ``` gettemplate base64_ afterfiltercall .filter( magdemo9816@proton.me .php this.getTemp {{var ``` If these are detected in the payload then an Exception is thrown and the address is not saved. #### Installation ```bash composer require deployecommerce/module-trojan-order-prevent bin/magento mo:e DeployEcommerce_TrojanOrderPrevent ``` #### Further Reading - https://sansec.io/research/trojanorder-magento - https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-massive-surge-of-trojanorders-attacks/ - https://cyberfraudcentre.com/surge-in-trojanorders-attacks-on-magento-2-e-commerce-sites - https://magento.stackexchange.com/questions/358839/magento-2-fake-customer-order-came-through-with-weird-code-instead-of-customer - https://github.com/magento/magento2/issues/36691 #### License This module is licensed under the MIT License. See the [LICENSE](LICENSE.md) file for details. ## Recent Versions | Version | Released | |---|---| | 1.0.4 | 2024-08-15 | | 1.0.3 | 2024-08-15 | | 1.0.2 | 2024-08-12 | | 1.0.1 | 2024-08-05 | | 1.0.0 | 2024-08-02 | ## Quality Latest release (1.0.4) passes the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers. ### Compatibility Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | Pass | Pass | – | – | | 2.4.8 | – | Pass | Pass | – | | 2.4.9 | – | – | Pass | Pass | ### Code Quality Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible. #### Static Analysis Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module. | Tool | Status | Findings | Summary | |---|---|---|---| | PHPCS | Warning | 1 | 1 warning (ruleset: Magento2) — 1 auto-fixable with phpcbf | | PHPMD | Warning | 2 | 2 rule violations (UnusedFormalParameter:2) | | Cpd | Pass | 0 | | | Composer validate | Pass | 0 | | #### PHPStan Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | Pass | Pass | – | – | | 2.4.8 | – | Pass | Pass | – | | 2.4.9 | – | – | Pass | Pass | ### Tests Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately. #### Unit Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | #### Integration Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | ### Security Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright. | Tool | Status | Findings | Summary | |---|---|---|---| | Composer audit | Pass | 0 | | | Malware scan | Pass | 0 | | ## Licence and pricing Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step. Refundable within 14 days of first purchase via https://packagento.com/account/refunds/. ## Install via Claude Code or any MCP client The Packagento MCP server can run the licence + project + Composer steps above in one tool call: ``` purchase_and_install_packages( composer_names=["deployecommerce/module-trojan-order-prevent"], project_id="proj_xxx" ) ``` This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup. ## Vendor deployecommerce is a Magento 2 vendor on Packagento. See https://packagento.com/deployecommerce.md for their full catalogue.