Security News > 2024 > June > Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator
The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator, according to researchers.
The exposed file, as also seen by BleepingComputer, contains a Cloudflare API token, Cloudflare Zone ID, Algolia API keys, among other values.
The Cloudflare API key allowed researchers, in particular mdmck10 to query and obtain a list of active zones associated with the particular Cloudflare account.
A Cloudflare "Zone" is a way for a website administrators to organize and manage domains in their Cloudflare account, and distinct settings for each domain.
While Cloudflare never authorized Polyfill.io to use its logo and name and never endorsed the service, on Wednesday, the DNS records for Polyfill.io were mysteriously switched to Cloudflare's, indicating that Cloudflare's service were at least partially in use by the domain owners.
MalwareHunterTeam who has closely been monitoring the situation drew attention to the fact that Google's warning to its advertisers regarding the supply chain attack was not limited to ad landing pages embedding polyfill.io, but three more services, Bootcss, BootCDN, and Staticfile.