Polyfill.io supply chain attack hits 100,000+ websites — all you need to know

Polyfill.io supply chain attack hits 100,000+ websites — all you need to knowPolyfill.io supply chain attack hits 100,000+ websites — all you need to know

In a significant supply chain attack, over 100,000 websites using Polyfill[.]io, a popular JavaScript CDN service, were compromised.

Earlier this year, a Chinese company called Funnull took over the ownership of the polyfill[.]io domain. What followed was the CDN delivering malicious JavaScript code which was automatically deployed on websites that embedded scripts from cdn.polyfill[.]io. The code would redirect mobile visitors of a website to scam sites.

As a result of the fall out from this attack, Google has informed advertisers about possible impacts on their landing pages that might be contaminated with malicious scripts, whereas safe mirrors of Polyfill have been setup by Fastly and Cloudflare.

We break down what this incident means for npm developers and packages relying on the Polyfill CDN.

Understanding the Polyfill.io Compromise

In February 2024, Andrew Betts, the original developer of the polyfill service warned users against using polyfill[.]io as a precaution—months before there was any indication, knowledge of, foul play involved.

"If your website uses http://polyfill.io, remove it IMMEDIATELY," wrote Betts. "I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale."

"No website today requires any of the polyfills."

Sansec researchers discovered this week that ever since the domain changed hands, it has been "injecting malware on mobile devices via any site that embeds cdn.polyfill[.]io." and raised the alarm bells for everyone.

Although technology leaders like Cloudflare, Fastly, and Google have all stepped in to thwart the threat, it's not yet over. Google started alerting advertisers that, as a result of this attack, their landing pages contain the malicious code that could send visitors away from the intended site without the website owner knowing about it. Cloudflare and Fastly setup safer mirrors of the Polyfill service.

grow, so does the need for robust supply chain security practices. It highlights the urgent need for improved supply chain security measures and greater vigilance in monitoring third-party services Developers and organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies.

Investing in advanced threat detection systems, educating developers on secure coding practices, and fostering a culture of security awareness are crucial steps in enhancing supply chain security. Additionally, collaboration between security researchers, developers, and service providers is essential to identify and address vulnerabilities promptly.