Over 380,000 web hosts have been found embedding a compromised Polyfill.io JavaScript script, linking to a malicious domain.
This supply chain attack has sent shockwaves through the web development community, highlighting the vulnerabilities inherent in widely used open-source libraries.
Polyfill.js, a popular tool designed to provide modern functionalities for older web browsers, was the target of this sophisticated attack.
In February 2024, the domain and GitHub account for Polyfill.io were acquired by Funnull, a Chinese CDN company.
This acquisition raised immediate concerns about the service’s legitimacy.
These concerns were validated when malware injected through cdn.polyfill.io began redirecting users to malicious sites.
High-profile platforms such as JSTOR, Intuit, and the World Economic Forum were among the affected, showcasing the widespread impact of this breach.
"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo
The Scale of the Attack
According to Censys, a cybersecurity firm, 384,773 hosts were found to include references to “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com” in their HTTP responses.
A significant concentration of these hosts, approximately 237,700, is located within the Hetzner network in Germany.
This is not surprising, given Hetzner’s popularity among web developers.
Further analysis revealed that major companies such as Warner Bros, Hulu, Mercedes-Benz, and Pearson had large numbers of hosts referencing the malicious Polyfill endpoint.
Interestingly, the most common hostname associated with these hosts was ns-static-assets.s3.amazonaws.com, indicating widespread usage among Amazon S3 static website hosting users.
The presence of government domains like “www.feedthefuture.gov” among the affected hosts underscores the attack’s reach across various sectors.
Censys observed 182 affected hosts displaying a “.gov” domain.
Industry Response and Mitigation Efforts
The attack has prompted swift responses from multiple companies.
Cloudflare and Fastly have offered alternative, secure endpoints for users to mitigate the threat while preventing websites from breaking.
Google has blocked ads for e-commerce sites using Polyfill.io, and the website blocker uBlock Origin has added the domain to its filter list.
Andrew Betts, the original creator of Polyfill.io, has urged website owners to immediately remove the library, emphasizing that it is no longer necessary for modern browsers.
Namecheap, the domain registrar for Polyfill.io, took down the malicious domain, mitigating the immediate threat.
However, the incident is a stark reminder of the growing threat of supply chain attacks on open-source projects.
The interconnected dependencies within the open-source ecosystem mean a single compromised package can have far-reaching security implications.
Investigating the Malicious Domain
Further investigation into the malicious Polyfill[.]io domain revealed additional concerning details.
Historical DNS records linked the domain to several other suspicious domains, including 5f52353c.u.fn03.vip, cdn.polyfill.io.bsclink.cn, and wildcard.polyfill.io.bsclink.cn.
LEGEND DYNASTY PTE hosted these domains. LTD., a company based in Singapore.
Interestingly, the maintainers of the Polyfill GitHub repository had leaked their Cloudflare API secrets within the repo.
This leak revealed four additional active domains linked to the same account: bootcdn[.]net, bootcss[.]com, staticfile[.]net, and staticfile[.]org.
One of these domains, bootcss[.]com, has been observed engaging in similar malicious activities since June 2023.
Analyzing the malicious Polyfill JavaScript code revealed a function named check_tiaozhuan(), which checks if the user uses a mobile device.
If so, it sets a value based on various conditions. Then it calls another function that loads a JavaScript file from a specified URL, potentially redirecting the user’s browser to another page.
This tactic closely mirrors the methods used in the Polyfill.io attack.
The Polyfill.io supply chain attack is a stark reminder of the vulnerabilities inherent in the web development ecosystem.
As developers rely on a diverse technology stack of open-source packages, the security of these dependencies becomes crucial.
The incident underscores the need for vigilance and robust security measures to protect against such sophisticated attacks.
As the web development community grapples with the fallout from this breach, the lessons learned will clearly shape future approaches to securing open-source projects.
The industry must continue collaborating and innovating to safeguard the digital infrastructure that underpins our modern world.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files