AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Polyfill JS supply chain attack: what happened

A detailed analysis of the cyber attack that compromised a library essential for JavaScript compatibility in browsers

Supply chain attacks on open source projects have increased in recent times. Polyfill JS, used to improve browser compatibility, was compromised by a malicious domain. Developers should remove references to this domain to protect themselves.

This pill is also available in Italian language

In recent times, supply chain attacks against open source projects have been on the rise. These attacks aim to infiltrate one or more links in the distribution chain of a respected software. The attackers' goal is to alter trusted components by exploiting the trust placed in them, and then target a specific group of victims. After the backdoor episode in XZ Utils, a new case involves Polyfill JS, a popular library that fills compatibility gaps in browsers, ensuring the use of the latest JavaScript features even on older software.

Sansec investigations into compromised sites

Sansec experts discovered that websites using Polyfill JS have started distributing malicious code. The common thread is a reference to a domain similar to Google Analytics, with "l" replaced by "i" (googie-anaiytics). Uploading code hosted on this domain leads to downloading malware or opening unwanted pages. Sansec found that the code varies depending on HTTP headers, includes protections against reverse engineering, and only activates on specific mobile devices at certain times. Famous victims include the World Economic Forum website and JSTOR. According to PublicWWW , over 100,000 sites use Polyfill JS, demonstrating the extent of the problem which also seems to involve the portal of the Agency for Digital Italy (AgID).

Polyfill JS domain acquisition

How did Polyfill JS become an attack vehicle? The domain hosting the code was acquired by a Chinese entity in February 2024. Initially, legitimate content was retained, then replaced with malicious code. Many developers, to save bandwidth and not overload servers, call remote URLs for third-party components. This causes the website to start serving malicious content if the external code is altered. That's exactly what happened with Polyfill JS.

Steps to follow to protect yourself

Andrew Betts, developer of Polyfill JS, warned users to remove references to the compromised domain and stressed that there is no longer any need to use Polyfill JS as the core features are now supported by all browsers. Meanwhile, Cloudflare and Fastly have made secure mirrors of the service available. Furthermore, Google has launched an information campaign to warn website managers of the infiltration, revealing that the problem also affects Bootcss, Bootcdn and Staticfile. Using PublicWWW you can verify the presence of over 500,000 sites compromised by these services. We recommend that you check and remove any references to polyfill.io, bootcss.com, bootcdn.net, and staticfile.org from the code of your web pages.

Follow us on Instagram for more pills like this

06/27/2024 04:33

Editorial AI

Last pills

Cyber attack on TeamViewer: immediate response and investigations underwayStrengthened security measures and international collaborations to counter the cyber threat

Security alert: supposed LockBit intrusion into the Federal Reserve systemPossible consequences and responses of the authorities to the alleged cyber breach of the Federal Reserve

Serious digital security incident in Indonesia puts sensitive national data at riskRecent vulnerabilities and the national response to cyberattacks

Hacker attack on ASST Rhodense: sensitive data compromisedSerious consequences for the IT security of Lombardy healthcare facilities