%20(1).webp "More than 380,000 Hosts Embedding Polyfill JS on Malicious Domain")
A recent supply chain attack has rocked the web development community, with over 380,000 web hosts discovered embedding a compromised Polyfill.io JavaScript script that linked to a malicious domain. This attack has shed light on the vulnerabilities present in widely used open-source libraries, raising concerns about the security of the software supply chain.
The Polyfill.js tool, which is designed to provide modern functionalities for older web browsers, was the target of this sophisticated attack. In February 2024, the domain and GitHub account for Polyfill.io were acquired by Funnull, a Chinese CDN company, sparking immediate concerns about the service’s legitimacy. These concerns were validated when malware injected through cdn.polyfill.io began redirecting users to malicious sites, impacting high-profile platforms such as JSTOR, Intuit, and the World Economic Forum.
According to cybersecurity firm Censys, a total of 384,773 hosts were found to include references to “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com” in their HTTP responses. A significant number of these hosts, approximately 237,700, were located within the Hetzner network in Germany, a popular choice among web developers. Further analysis revealed that major companies like Warner Bros, Hulu, Mercedes-Benz, and Pearson had large numbers of hosts referencing the malicious Polyfill endpoint, with many using Amazon S3 static website hosting.
The attack’s reach extended to government domains as well, with Censys observing 182 affected hosts displaying a “.gov” domain. The widespread impact of this breach has prompted swift responses from companies like Cloudflare and Fastly, which have offered secure alternative endpoints to mitigate the threat without causing websites to break. Google has blocked ads for e-commerce sites using Polyfill.io, and the website blocker uBlock Origin has added the domain to its filter list.
Andrew Betts, the original creator of Polyfill.io, has advised website owners to remove the library immediately, emphasizing that it is no longer necessary for modern browsers. Namecheap, the domain registrar for Polyfill.io, took down the malicious domain to mitigate the immediate threat. However, the incident underscores the growing threat of supply chain attacks on open-source projects, highlighting the importance of securing dependencies.
Further investigation into the malicious Polyfill.io domain revealed concerning details, including historical DNS records linking the domain to several suspicious domains hosted by a company based in Singapore. The maintainers of the Polyfill GitHub repository had also leaked their Cloudflare API secrets, revealing additional active domains linked to the same account. One of these domains, bootcss[.]com, had been engaging in similar malicious activities since June 2023.
The tactics used in the Polyfill.io attack, such as redirecting users to malicious sites based on device conditions, highlight the vulnerabilities in the web development ecosystem. Developers must prioritize the security of their open-source dependencies to prevent such sophisticated attacks in the future. Collaboration and innovation within the industry are essential to safeguarding the digital infrastructure that supports our modern world.
As the web development community grapples with the aftermath of this breach, the lessons learned will shape future approaches to securing open-source projects. It is crucial to remain vigilant and implement robust security measures to protect against supply chain attacks and safeguard the integrity of the software supply chain.