Security News > 2024 > June > Polyfill.io JavaScript supply chain attack impacts over 100K sites

Over 100,000 sites have been impacted in a supply chain attack by the Polyfill.io service after a Chinese company acquired the domain and the script was modified to redirect users to malicious and scam sites.
The polyfill.io service is used by hundreds of thousands of sites to allow all visitors to use the same codebase, even if their browsers do not support the same modern features as newer ones.
Today, cybersecurity company Sansec warned that the polyfill.io domain and service was purchased earlier this year by a Chinese company named 'Funnull' and the script has been modified to introduce malicious code on websites in a supply chain attack.
To reduce the risk of a potential supply chain attack, Cloudflare and Fastly set up their own mirrors of the Polyfill.io service so that websites could use a trusted service.
Google has begun notifying advertisers about this supply chain attack, warning them that their landing pages include the malicious code and could redirect visitors away from the intended site without the website owner's knowledge or permission.
Google also warns that Bootcss, Bootcdn, and Staticfile have also been found to cause unwanted redirects, potentially adding thousands, if not hundreds of thousands, of sites impacted by the supply chain attacks.
News URL
Related news
- North Korea targets crypto developers via NPM supply chain attack (source)
- Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks (source)
- Phishing attack hides JavaScript using invisible Unicode trick (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access (source)
- GitHub supply chain attack spills secrets from 23,000 projects (source)
- Supply chain attack on popular GitHub Action exposes CI/CD secrets (source)
- Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos (source)
- GitHub Action hack likely led to another in cascading supply chain attack (source)
- GitHub Action supply chain attack exposed secrets in 218 repos (source)