I know you are trying to get features shipped before Black Friday. Let us make sure Black Friday does not turn into your Black Day.
The Three Sentences I Keep Hearing
Every time I raise a security issue with a merchant, I get one of these back.
My hosting company did not find anything.
The malware scan shows we are all clean.
We use Sucuri, they remove malware for us.
All three are reassuring. None of them answer the actual question.
A malware scan tells you whether there is currently malicious code on your server. It does not tell you whether someone already walked off with your encryption key. Those are completely different problems, and only one of them shows up in a scan.
What Actually Has to Happen
We have been working closely with Sansec on the recent wave of attacks against Magento 2 stores. If your store was exposed and your CMS blocks were affected, four things must happen, in this order.
Install the patch or upgrade Magento. Generate a new cryptographic key. Re-encrypt your database passwords with that new key. Then invalidate the old key.
Most merchants do the first step and stop, because the first step is the one that feels like fixing it.
Why Patching Alone Leaves You Exposed
Here is the part that matters. You cannot tell whether your secret key was stolen. There is no log entry that says so.
So if it was stolen, patching does nothing. The attacker still holds a valid key to a store you now believe is safe. You have closed the door they came in through and left them inside the building.
That is why key rotation is not optional housekeeping. It is the actual remediation. The patch stops the next intrusion. The new key ends the current one.
Do It Before the Next Wave
Attacks cluster around the moments when merchants are busiest and least able to respond, which is precisely why Black Friday is a target rather than a coincidence. I have written about why Black Friday is the real stress test for an ecommerce team, and security is the half of it nobody rehearses.
If you want the technical background on how these Magento vulnerabilities actually work, I have explained what an unauthenticated RCE means for a merchant. And if nobody is watching your store daily, that is its own problem: supply chain attacks do not announce themselves.
Do the four steps. Do them now, not in the week you cannot afford downtime.