In a significant supply chain attack, over 100,000 websites using Polyfill[.]io, a popular JavaScript CDN service, were compromised.
Earlier this year, a Chinese company called Funnull took over the ownership of the polyfill[.]io domain. What followed was the CDN delivering malicious JavaScript code, which was automatically deployed on websites that embedded scripts from cdn.polyfill[.]io. The code would redirect mobile visitors of a website to scam sites.
Due to the fallout from this attack, Google has informed advertisers about possible impacts on their landing pages that might be contaminated with malicious scripts, while Fastly and Cloudflare have setup safe mirrors of Polyfill.
We break down what this incident means for npm developers and packages relying on the Polyfill CDN.
Understanding the Polyfill.io Compromise
In February 2024, Andrew Betts, the original developer of the polyfill service, warned users against using polyfill[.]io as a precaution — months before there was any indication, knowledge of, foul play involved.
“If your website uses http://polyfill.io, remove it IMMEDIATELY,” wrote Betts. “I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale.”
“No website today requires any of the polyfills.”
Sansec researchers discovered this week that since the domain changed hands, it has been “injecting malware on mobile devices via any site that embeds cdn.polyfill[.]io.” and raised the alarm bells for everyone.
Although technology leaders like Cloudflare, Fastly, and Google have all stepped in to thwart the threat, it’s not yet over. Google started alerting advertisers that their landing pages contain the malicious code that could send visitors away from the intended site without the website owner knowing about it. Cloudflare and Fastly setup safer mirrors of the Polyfill service.
Given how widespread (Read more...)
