Security News > 2024 > June > Polyfill claims it has been 'defamed', returns after domain shut down
The owners of Polyfill.io have relaunched the JavaScript CDN service on a new domain after polyfill.io was shut down as researchers exposed it was delivering malicious code on upwards of 100,000 websites.
The Polyfill service claims that it has been "Maliciously defamed" and been subject to "Media messages slandering Polyfill."
The Polyfill.io domain appears to have been shut down as of today by its registrar Namecheap.
"We found media messages slandering Polyfill. We want to explain that all our services are cached in Cloudflare and there is no supply chain risk," writes Polyfill.
Its creator, Andrew Betts never owned and had no association with the polyfill.io domain which provided Polyfill's code via a CDN:. In February, a Chinese entity named 'Funnull' bought polyfill.io and introduced malicious code in the scripts delivered by its CDN. Sansec researchers recently identified that the supply chain attack resulting from Polyfill.io's modified scripts had hit more than 100,000 websites.
Cloudflare further corroborated Sansec's claims that code delivered by Polyfill.io's CDN was in fact redirecting users to sports betting sites and did so using a typosquatted domain name which was an intentional mispelling of the Google Analytics one.