Supply Chain Attack Hits Over 100,000 Websites – Malicious Polyfill Injection and Impact

A Massive Supply Chain Attack Hits Over 100,000 Websites, Including Major Platforms

A widespread supply chain attack has targeted more than 100,000 websites, causing chaos for notable platforms like JSTOR, Intuit, and the World Economic Forum. The attack originated from a fake domain posing as the popular open-source library Polyfill.js, which provides support for older browsers.

The Chinese company Funnull acquired the domain and GitHub account associated with the Polyfill.js project in February, allowing them to insert malware into sites that utilize cdn.polyfill.io. The malicious code is specifically designed to redirect mobile users to sports betting or explicit sites using a counterfeit Google Analytics domain.

Security researchers have highlighted the sophisticated nature of the injected malware, which adapts dynamically based on HTTP headers, making it challenging to detect. This Polyfill injection assault exemplifies a supply chain attack targeting a widely used library, showcasing the vulnerability of interconnected digital ecosystems.

The compromised Polyfill code generates malware tailored to specific conditions, such as targeted mobile devices and circumventing admin detection. The attack has far-reaching consequences, prompting Google to block ads for e-commerce sites using polyfill.io and even subjecting researchers to DDoS attacks after uncovering the campaign.

In response to the incident, the original Polyfill author, Andrew Betts, advised against Polyfill usage and emphasized the critical need for vigilance when integrating external code libraries. Experts have established a domain, polykill.io, to alert website owners of the risks associated with the compromised Polyfill project and recommend switching to secure alternatives like Fastly and CloudFlare.

This attack serves as a stark reminder of the security risks inherent in relying on third-party scripts and the essential measures needed to safeguard digital infrastructure from malicious takeovers and supply chain vulnerabilities.