Polyfill.io, a domain used by over 110,000 websites to deliver JavaScript code, has been compromised in a supply chain attack, potentially leading to data theft and clickjacking attacks.
Security researchers have alerted that Polyfill.io has been breached, spreading malware through a widespread supply chain attack. The malicious code generates payloads based on HTTP headers to obfuscate its tracks. The domains cdn[.]polyfill[.]io and bootcss[.]com have been compromised, infecting over 110,000 websites with malicious code. Security firms are urging websites that use JavaScript code from Polyfill to remove it immediately. This issue arose after a suspected Chinese firm purchased the domain in early 2024.
Polyfill.io offered widely used code snippets for older browsers, enabling the use of modern JavaScript features. This made web development easier and allowed compatibility with a broader range of browsers. However, the insertion of malicious code into these JavaScript snippets means anyone using an infected website could have malware implemented in their browser.
Eyal Paz, VP of Research at OX Security, highlighted the implications of the attack: “The recent Polyfill supply chain attack highlights a critical issue with current-day web development: the trust placed in third-party libraries. Many organizations struggle to track the long tail of the software supply chain, creating a perfect storm of unmanaged cybersecurity risk.”
:warning:#POLYFILL Supply Chain Attack!
:cn:Owner of polyfill[.]io also runs following sites to inject malicious codes:-
bootcdn./net
bootcss./com
staticfile./org
unionadjs./comI collected subdomains to:x:: https://t.co/Te1HDhjYcj#infosec #security #hack #malware #threatintel #OSINT pic.twitter.com/sunVWaenWn
— RAKESH KRISHNAN (@RakeshKrish12) June 28, 2024
Paz emphasized the need for AppSec teams to have complete visibility into all software deployed within their organization’s ecosystem. He recommended generating a Software Bill of Materials (SBOM), providing an accurate inventory of all application components, and regularly assessing the security posture of third-party libraries. Implementing strong vulnerability management practices can reduce the probability of transitive vulnerabilities and increased cyber risk.
“The best way to stay ahead of attackers is to obtain a single point of view of the application attack surface. Companies should implement a holistic AppSec approach incorporating continuous monitoring, contextual enrichment for remediation prioritization, and quick response capabilities to mitigate the most critical vulnerabilities threatening your software security supply chain,” Paz added.
Websites with infected scripts may redirect users to malicious sites, including pornographic and sports betting websites. Prominent victims of the attack include the World Economic Forum, Intuit, and JSTOR websites. Security firms indicate that the malware has been distributed via the domain since February 2024.
Security researchers have discovered that the malicious code generates payloads that vary based on HTTP headers, enabling greater obfuscation by activating only on specific devices, delaying execution, and avoiding admin users, thereby evading detection.
Tens of millions of websites (4% of the web) uses Polyfill(.)io. Extremely concerning malware has been discovered impacting any site using Polyfill. Cloudflare is stepping in with a secure clone and a service to automatically replace Polyfill on pages. https://t.co/oOFWhqBMQp
— Matthew Prince :barely_sunny: (@eastdakota) June 26, 2024
Google has responded by blocking Google Ads on websites using the infected code, presumably to reduce the number of victims. The tech giant has also sent warnings to site owners, advising immediate action to mitigate risks for themselves and their users.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
