BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Polyfill Domain Shut Down as Owner Disputes Accusations of Malicious Activity

Namecheap shut down polyfill.io amid reports of malicious activity, but the Chinese owner claims it has good intentions.

Multiple reports of malicious activity have led to the polyfill.io domain being suspended on Wednesday and the Chinese owner of the domain fuming over so-called “malicious defamation”.

The domain was used to host polyfills, small bits of JavaScript code that provided older browsers with modern functionality and expanded websites’ compatibility without additional work from developers.

Polyfill has been around for over a decade, and earlier this week there were over 100,000 websites automatically loading and executing code from polyfill.io in visitors’ browsers.

In February 2024, the original project developer cast doubt on the legitimacy of the service, as the polyfill.io domain had just been purchased by a Chinese firm, while also underlining that Polyfill was no longer needed in modern browsers, despite its wide use.

Potentially malicious behavior associated with polyfill.io was first reported several weeks ago on the project’s GitHub page, but the new owner, a Chinese content delivery network (CDN) company named Funnull, quickly deleted the posts.

This week, however, the bubble burst, after security researchers raised the alarm on malicious behavior associated with ‘cdn.polyfill.io’: visitors of the websites containing its code were being redirected to sports betting and adult sites, and the code exhibited various evasion techniques.

In the light of major supply chain incidents such as the XZ Utils backdoor, the industry reacted promptly: Google warned advertisers of the malicious redirects, uBlock Origin started blocking polyfill.io, and Namecheap suspended the domain.

Shortly after the reports came in, Cloudflare began automatically rewriting links to polyfill.io on websites proxied through its infrastructure, directing them to its own polyfill mirror.

Advertisement. Scroll to continue reading.

“This will avoid breaking site functionality while mitigating the risk of a supply chain attack,” Cloudflare explained.

The Polyfill service was moved to polyfill.com, but that domain appears to have been blocked as well.

Funnull reacted as well, saying there was no supply chain risk and claiming that the reports were nothing more than slander and malicious defamation, and that its services are cached in Cloudflare, although the web security firm made it clear that it did not “authorized their use of Cloudflare’s name on their website”.

“Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize our own reputation,” the company posted on X.

“I have had enough of Cloudflare’s repeated, baseless, and malicious defamation. Their unethical strategy of suppressing competition before promoting their own products is deplorable. Moving forward, I will be fully dedicated to developing a global CDN product that surpasses Cloudflare,” it said in another post.

The company claims to have received $50 million in funding that will go towards improving the services, but various security veterans and software engineers reacted to the company’s posts, calling it out for making false statements and for copying the descriptions of legitimate services as their own.

Funnull appears to be owned by the Chinese-language firm ACB Group, but its actual location is unclear. The CDN claims to be from Slovenia with US ties, its X account claims to be from the UK, has a contact number in the Philippines, and uses Mandarin, suggesting at least some connections with China.

Related: Polyfill Supply Chain Attack Hits Over 100k Websites

Related: Zero-Day Attacks and Supply Chain Compromises Surge, MFA Remains Underutilized: Rapid7 Report

Related: Top Python Developers Hacked in Sophisticated Supply Chain Attack

Related: UK, Korea Warn of DPRK Supply Chain Attacks Involving Zero-Day Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights