Unexpected supply chain attack after acquisition of polyfill.io
Published:
In the summer, Sansec, an eCommerce malware detection company, reported a supply chain attack on the popular JavaScript library Polyfill.io. The attack began in February after the China-based company Funnull acquired Polyfill.io. This takeover led to malicious code being injected into websites using the library, targeting mobile devices and redirecting users to scam sites. The developer community quickly responded, with Namecheap suspending the malicious domain and Cloudflare and Fastly offering secure alternatives. This incident underscores the vulnerabilities in the supply chain of open-source software. Read more in this week’s edition of Cyber Security Insights.
Figure 1 Funnull’s Web Site
What is Polyfill.io and why was it targeted?
Polyfill.io is an open-source JavaScript library to support older browsers, it detects an end users browser and serves the necessary ‘polyfills’ to ensure compatibility with modern technologies. By embedding scripts from cdn.polyfill.io (Polyfill.io’s open-source CDN), developers provide polyfills without the need for manual management, simplifying the process of maintaining browser compatibility. Polyfill.io was originally developed and operated by the web development team at the Financial Times then moved under community management. In July 2023, when the Financial Times ended its support, Polyfill.io was handed over to Jake Champion, who had played a key role in maintaining the library for many years and worked at the Financial Times until April 2022.
Figure 2 Example HTML Source Code for a Web Site Using Polyfill.io
Polyfill.io launched a Supply Chain Attack
In February 2024, the company Funnull announced that they had acquired Polyfill.io. The announcement has since been removed. [Figure 3] has now been removed.
Funnull operates a CDN business with offices around the world and is believed to be a China owned company..
Figure 3 Funnull Announces Its Acquisition of Polyfill.io at the End of February
Upon learning of the acquisition, Polyfill.io users expressed concerns of ownership and the Polyfill.io GitHub repository bulletin board was filled with comments. The original creator, Andrew Betts also advised against the use of polyfill.io.
First news of the attack
In the summer, Dutch security firm Sansec reported that Polyfill.io was carrying out a supply chain attack that delivered malicious JavaScript code to mobile devices connecting to websites using the library. It was reported that the domain was caught injecting malware onto mobile devices via any site that embeds cdn.polyfill.io. The attack primarily targeted mobile devices, selectively sampling sessions to remain stealthy and harder to detect. The malicious code was then used for a redirection attack, diverting users to scam sites. Santec decoded one malware which redirected mobile users to a sports betting site using a fake Google analytics domain.
Figure4 Sansec Report on Polyfill.io Supply Chain Attack
Multiple companies worked to mitigate the attack
Namecheap (a domain registrar and web hosting company) suspended the malicious polyfill.io domain mitigating the immediate threat however Censys (an internet intelligence data organization) detected that as of July 2, 384,773 hosts embedded the polyfill JS script linking to the malicious domain. Other companies responding to the situation included
Cloudflare and Fastly who both offered alternative, secure endpoints for users, and Google blocked ads for e-commerce sites using polyfill.io.
Also in response , a Polyfill X account posted “Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize our own reputation”.
Summary
The vulnerability involved malicious code injection that redirects users to harmful sites or downloads malicious files, with this type of attack potentially leading to data theft, malware distribution and unauthorized access to sensitive information. With the attack impacting over 100K websites it triggered a prompt response from the industry with warning from Google and suspension of the domain.
About our Cyber Security Insights
This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.
Read more Cyber Security Insights here.
Sources:
- Sansec: Polyfill supply chain attack hits 100K+ sites
- Internet Archive Wayback Machine “GitHub – Is it true that polyfill.io hosting is going to be owned by a Chinese company?”
- Censys “July2: Polyfill.io Supply Chain Attack – Digging into the Web of Compromised Domains”
- Internet Archive Wayback Machine “Polyfill.io – Polyfill.io”
- Internet Archive Wayback Machine GitHub-polyfill-service
- Internet Archive Wayback Machine “Polyfill.io — Polyfill service”
- Internet Archive Wayback Machine “Polyfill.io – New ownership of the polyfill service”
- THE ORG, Jake Champion
- Register “If you’re using Polyfill.io code on your site – like 100,000+ are – remove it immediately”
- The Register “Polyfill.io owner punches back at ‘malicious destruction’ amid domain shutdown”
- Internet Archive Wayback Machine “GitHub-polyfill.io domain owner”
- x.com @triblondon
- Fastly triblondon
- Cloudflare “polyfill.io now available on cdnjs: reduce your supply chain risk”
- Fastly “New options for Polyfill.io users”
- Cloudflare Automatically replacing polyfill.io links with Cloudflare’s mirror for a safer Internet
- x.com @Polyfill_Global
Want to know more about how we can help you with your cybersecurity?
Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.