Researchers: polyfill.io, which offers JavaScript polyfills, is being used to infect 100K+ websites with malware, after a Chinese CDN bought the domain in 2024
The Register Jessica Lyons
Related Coverage
- Automatically replacing polyfill.io links with Cloudflare's mirror for a safer Internet The Cloudflare Blog
- Hulu, 100K+ Other Websites May Be Exposed to Polyfill Malware PCMag
- Polyfill supply chain attack hits 100K+ sites Sansec
- Polyfill claims it has been ‘defamed’, returns after domain shut down BleepingComputer
- More than 100k websites targeted in web supply chain attack side
- Polyfill.io gets dealt with by Cloudflare and Namecheap Stack Diary
- Supply chain attack compromises 100,000 websites via polyfill.io domain takeover SiliconANGLE
- Polyfill.io JavaScript supply chain attack impacts over 100K sites BleepingComputer
- Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites Dark Reading
- Formerly legitimate Polyfill.io domain abused to serve malicious code CSO
- Thousands of websites told to ditch Polyfill service after Chinese hackers hijack it to serve malware TechRadar
- Over 100K sites hit by Polyfill.io supply chain attack SC Media
- Polyfill supply chain attack hits 100K+ sites (via) Short version: if you are loading assets … Simon Willison's Weblog
- Polyfill Supply Chain Attack Hits Over 100k Websites SecurityWeek
- Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack The Hacker News
- On the Polyfill supply-chain attack: — Interestingly, whoever controls the official Polyfill Twitter account claims defamation - but their “we have no supply chain risks because all content is statically cached” seems like wilfull misunderstanding of the question. — https://x.com/... … @tychotithonus@infosec.exchange
- Surprised to discover this morning, vis a vis the polyfill CDN attack, that there's no current support for adding SRI hashes to import statements in ES modules. Even Deno doesn't have it, which seems like a wild oversight given their aggressive CLI security flags. @thomaswilburn@toot.cafe
- Delete any polyfill.io code, if you have it on your website: — https://www.theregister.com/ ... And mark it as untrusted on your NoScript settings. @rosjackson@wandering.shop
- We created polykill.io to warn friends and customers about this supply chain risk and unfortunately our worst fears have come true: … Wesley Hales
- If you're using Polyfill.io code on your site - remove it immediately Hacker News
- Polyfill supply chain attack hits 100K+ sites Hacker News
Discussion
-
@prehnra@mastodon.social
Robert Prehn
on mastodon
Can we, as an industry, agree to stop serving our users executable code off of random domains that we don't control? — https://sansec.io/...
-
@TheRealPomax@mastodon.social
@TheRealPomax@mastodon.social
on mastodon
Can someone explain why the owner of the .io TLD isn't legally responsible for immediately nuking polyfill.io because it's literally the same as “buying a phone exchange do you can MitM all conversions, and you are that man”? …
-
@rooneymcnibnug@mastodon.social
@rooneymcnibnug@mastodon.social
on mastodon
fwiw, I just blocked some polyfill.io domains that are being used for this supply chain attack ( https://cside.dev/... in latest commit to my SNAFU list: https://github.com/... #pihole
-
@cloudflare
@cloudflare
on x
Given supply chain risk, Cloudflare launched an alternative endpoint to polyfill under cdnjs in February 2024. We would strongly encourage immediate replacement of any remaining links to polyfill with the cdnjs alternative endpoint. https://blog.cloudflare.com/ ...
-
@kentcdodds
Kent C. Dodds
on x
When I worked at PayPal I knew it would be irresponsible to use a third party service without an SLA so I grabbed the accompanying module and deployed it alongside our app so we could get the benefits with reduced risk. My concern was well-founded. https://kentcdodds.com/...
-
@weldpond
@weldpond
on x
If your website uses https://polyfill.io/, remove it immediately. In Feb, a Chinese company bought the domain & Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds https://cdn.polyfill.io/ https://sansec.io/...
-
@sansecio
@sansecio
on x
After our Polyfill publication, someone launched a DDoS attack against our infra. We restored our primary services, but now the attack has shifted to our payment provider who has temporarily suspended us. https://x.com/... [image]
-
@spazef0rze
Michal Špaček
on x
Google is now sending a warning about loading 3rd party JS from domains like polyfill . io bootcss . com bootcdn . net & staticfile . org that may do nasty things to your users if your site uses JS from these domains. [image]
-
r/Frontend
r
on reddit
Heads-up for polyfill.io users