Supply Chain Security

Polyfill Supply Chain Attack Hits Over 100k Websites 

More than 100,000 websites are affected by a supply chain attack injecting malware via a Polyfill domain.

More than 100,000 websites are affected by a supply chain attack injecting malware via a Polyfill domain.

Security researchers are warning of a web supply chain attack impacting over 100,000 websites that are using the ‘cdn.polyfill.io’ domain.

The polyfill.io website was used to host a service for adding JavaScript polyfills to sites, small bits of code that provide modern functionality in older browsers and ensure compatibility with a broader range of browsers.

In February 2024, however, the domain and associated GitHub account were taken over by the Chinese content delivery network (CDN) company Funnull, which sparked concerns of supply chain attacks being carried out via polyfill.io.

These concerns proved substantiated recently, when website owners using polyfill.io started noticing the abnormal behavior and complained about it.

On Tuesday, security researchers at Sansec and C/side confirmed that the cdn.polyfill.io domain is injecting malicious code into more than 100,000 websites that are using it.

“The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely,” Sansec warned, noting that one payload was redirecting to a sports betting website that was using a fake Google analytics domain.

“The malicious code dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution. The code is also obfuscated,” C/side said.

Users are being redirected to sports betting websites or adult domains, likely based on their location, the threat intelligence firm said.

Advertisement. Scroll to continue reading.

“But this being JavaScript, could at any moment introduce new attacks like formjacking, clickjacking, and broader data theft,” C/side warned.

While the Polyfill service appears to remain functional and clean, the cdn.polyfill.io domain should immediately be removed from any website, the threat intelligence firm said.

“This incident is a typical example of a supply chain attack,” Sansec underlined. Overall, more than 110,000 websites appear to be using cdn.polyfill.io.

Also on Tuesday, Google started warning advertisers about issues with loading JavaScript code from polyfill​.​io and several other domains, noting that site visitors may be redirected to malicious domains without their permission and that it would block Google Ads for the infected websites.

In February, after the China-based firm bought polyfill.io, Andrew Betts, the original polyfill author warned that the new domain owner should not be trusted and that Polyfill should no longer be used, as modern browsers already contain the required functionality.

Responding to these concerns, web infrastructure providers such as Cloudflare announced the availability of alternatives to help users safely move from polyfill.io.

“Protecting our users is our top priority. We detected a security issue recently that may affect websites using certain third-party libraries. To help potentially impacted advertisers secure their websites, we have been proactively sharing information on how to quickly mitigate the issue,” a Google spokesperson told SecurityWeek.

*Updated with statement from Google.

Related: Several Plugins Compromised in WordPress Supply Chain Attack

Related: Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor

Related: Vulnerability in R Programming Language Could Fuel Supply Chain Attacks

Related Content

Cybersecurity Funding

Software supply chain security startup Lineaje has raised $20 million in a Series A funding round that brings the total to $27 million. 

Malware & Threats

Namecheap shut down polyfill.io amid reports of malicious activity, but the Chinese owner claims it has good intentions.

Supply Chain Security

Five WordPress plugins were injected with malicious code that creates a new administrative account.

Data Breaches

The US government issues a red-alert for what appears to be a massive supply chain breach at Sisense, a company that sells big-data analytics...

Supply Chain Security

The discovery of the XZ Utils backdoor reminds an F-Droid developer of a similar incident that occurred a few years ago.

Funding/M&A

Los Angeles firmware and software supply chain firm banks $10.5 million in seed-stage funding led by Two Bear Capital.

Malware & Threats

Multiple Python developers get infected after downloading malware-packed clone of the popular tool Colorama.

ICS/OT

Software risk management firm Finite State has raised a $20 million growth round led by Energy Impact Partners (EIP).

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version