If you're using Polyfill.io code on your site – remove it immediately
A Chinese organization acquired polyfill.io, infecting 100,000+ websites with malware. Security warnings urge removal of its JavaScript code. Google blocks ads on affected sites. CDN mirrors aim to reduce risks.
Read original article
A Chinese organization has acquired the polyfill.io domain and is using it to infect over 100,000 websites with malware. Security firms have issued warnings to immediately remove any JavaScript code from this domain to prevent the spread of malicious scripts to visitors. Google has started blocking Google Ads for websites using the impacted code to reduce potential victims. The domain was previously known for offering useful JavaScript code to enhance older browsers but is now serving hidden malicious code. The sale of the domain to a Chinese CDN operator in February has led to a supply chain attack affecting numerous websites. The creator of the polyfill service project has advised against using polyfill.io due to the security risks associated with the new ownership. Popular CDN providers have created mirrors of polyfill.io to mitigate the risk of compromise. The situation highlights the importance of maintaining secure software supply chains to prevent widespread compromises.
Related
Snowflake breach snowballs as more victims, perps, come forward
The Snowflake data breach expands to include Ticketek, Ticketmaster, and Advance Auto Parts. ShinyHunters claim involvement, Snowflake enforces security measures. CDK faces ransomware attack, Juniper and Apple vulnerabilities identified. Jetflicks operators convicted.
Firefox 3rd Party Installer Campaign – Mozilla Community Portal
Mozilla launches a campaign to investigate unofficial Firefox download sources for security risks and outdated versions. Participants report findings to enhance user security and experience. Campaign runs from June 14 to July 14, 2024.
Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack
A supply-chain attack compromised 36,000 websites using backdoored WordPress plugins. Malicious code added to updates creates attacker-controlled admin accounts, manipulating search results. Users urged to uninstall affected plugins and monitor for unauthorized access.
Malicious Code Injection Found in CDN Polyfill Link Targeting Mobile Users
Polyfill.io selectively polyfills browser features based on User-Agent headers. Tailored polyfills are provided, with official documentation on their website. Contribution guide on GitHub, self-hosting info, and MIT license available.
Polyfill supply chain attack hits 100K+ sites
A supply chain attack on Polyfill JS affects 100,000+ websites, including JSTOR and Intuit. Malware redirects mobile users to a betting site. Users advised to switch to trusted alternatives like Fastly and Cloudflare.
5 commentsCDNs are used, because not using CDNs is made unnecessarily hard.
Want a local version locked copy? Select one of the dozen mutually incompatible package managers. Then select one of the dozen buggy and slow mutually incompatibile build systems. Then rewrite your app for CJS or ESM depending on the library, because ESM was made purposefully incompatible.
Want to use a CDN? Copy and paste this one line in your HTML.
> Since February, "this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io,"
This kind of attack seems difficult to detect and ruthlessly effective. Imagine how much money they could've made by selling fake Davos tickets.
Lots of discussion: https://news.ycombinator.com/item?id=40791829
Related
Snowflake breach snowballs as more victims, perps, come forward
The Snowflake data breach expands to include Ticketek, Ticketmaster, and Advance Auto Parts. ShinyHunters claim involvement, Snowflake enforces security measures. CDK faces ransomware attack, Juniper and Apple vulnerabilities identified. Jetflicks operators convicted.
Firefox 3rd Party Installer Campaign – Mozilla Community Portal
Mozilla launches a campaign to investigate unofficial Firefox download sources for security risks and outdated versions. Participants report findings to enhance user security and experience. Campaign runs from June 14 to July 14, 2024.
Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack
A supply-chain attack compromised 36,000 websites using backdoored WordPress plugins. Malicious code added to updates creates attacker-controlled admin accounts, manipulating search results. Users urged to uninstall affected plugins and monitor for unauthorized access.
Malicious Code Injection Found in CDN Polyfill Link Targeting Mobile Users
Polyfill.io selectively polyfills browser features based on User-Agent headers. Tailored polyfills are provided, with official documentation on their website. Contribution guide on GitHub, self-hosting info, and MIT license available.
Polyfill supply chain attack hits 100K+ sites
A supply chain attack on Polyfill JS affects 100,000+ websites, including JSTOR and Intuit. Malware redirects mobile users to a betting site. Users advised to switch to trusted alternatives like Fastly and Cloudflare.