Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Over 380k Hosts Still Referencing Malicious Polyfill Domain: Censys

Censys has discovered more than 380,000 hosts, including major platforms, still referencing the malicious polyfill.io domain.

JavaScript scripts referencing the recently suspended polyfill.io domain are present on over 380,000 internet-exposed hosts, attack surface management firm Censys reports.

Used to host polyfills, small JavaScript bits providing modern functionality in older browsers, polyfill.io was suspended last week, after it was caught redirecting the visitors of websites embedding polyfill.io code to betting and adult sites.

The security community linked the malicious behavior to the site’s owner, the Chinese content delivery network (CDN) company Funnull, which bought polyfill.io and the associated GitHub repository in February 2024.

The supply chain attack was estimated to have impacted just over 100,000 websites and triggered a prompt response from the industry, including warnings from Google, uBlock Origin blocking polyfill.io, and Namecheap suspending it.

Now, Censys says that the potential impact from the incident was much larger: as of July 2, there are still 384,773 hosts embedding a polyfill script referencing the malicious domain.

Most of these are in Germany, within the Hetzner network (AS24940), but domains tied to major platforms, including Hulu, Mercedes-Benz, Pearson, and Warner Bros, also have a large number of hosts linking to the malicious polyfill endpoint.

According to Censys, an analysis of the identified domains shows broad usage of polyfill.io across various sectors, including government websites. A total of 182 affected hosts were displaying a .gov domain.

“While estimates of the scale of affected websites vary widely between sources (Sansec reported 100,000, while Cloudflare suggested ‘tens of millions’), it’s clear that this supply chain attack has had a widespread impact,” Censys notes.

Advertisement. Scroll to continue reading.

The good news is that significantly more websites are now using alternative secure polyfill endpoints, such as those provided by Fastly and Cloudflare: the number went from 80,312 on June 28 to 216,504 on July 2.

The bad news is that the polyfill incident might be part of a broader malicious campaign that started in June 2023 and which appears to involve four other domains that are likely controlled by the same threat actor, namely bootcdn[.]net, bootcss[.]com, staticfile[.]net, and staticfile[.]org.

“One of these domains, bootcss[.]com, has been observed engaging in malicious activities that are very similar to the polyfill[.]io attack, with evidence dating back to June 2023,” Censys says.

The cybersecurity firm discovered a post on a Chinese developer forum that warned on June 20, 2023, of a malicious JavaScript file hosted on cdn.bootcss.com that, the same as polyfill, redirected users based on their geolocation.

Censys discovered that there are 1.6 million public-facing hosts that link to these suspicious domains, but notes that bootcss appears to be the only one showing signs of malicious activity.

“It wouldn’t be entirely unreasonable to consider the possibility that the same malicious actor responsible for the polyfill.io attack might exploit these other domains for similar activities in the future,” Censys concludes.

Update: C/side says there are more than 490,000 websites targeted in this supply chain attack.

Related: Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks

Related: Several Plugins Compromised in WordPress Supply Chain Attack

Related: Watch Now: Supply Chain & Third-Party Risk Summit 2024

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights