Polyfill JS supply chain attack: what happened

In recent times, supply chain attacks against open source projects have been on the rise. These attacks aim to infiltrate one or more links in the distribution chain of a respected software. The attackers' goal is to alter trusted components by exploiting the trust placed in them, and then target a specific group of victims. After the backdoor episode in XZ Utils, a new case involves Polyfill JS, a popular library that fills compatibility gaps in browsers, ensuring the use of the latest JavaScript features even on older software.

Sansec investigations into compromised sites

Sansec experts discovered that websites using Polyfill JS have started distributing malicious code. The common thread is a reference to a domain similar to Google Analytics, with "l" replaced by "i" (googie-anaiytics). Uploading code hosted on this domain leads to downloading malware or opening unwanted pages. Sansec found that the code varies depending on HTTP headers, includes protections against reverse engineering, and only activates on specific mobile devices at certain times. Famous victims include the World Economic Forum website and JSTOR. According to PublicWWW , over 100,000 sites use Polyfill JS, demonstrating the extent of the problem which also seems to involve the portal of the Agency for Digital Italy (AgID).

Polyfill JS domain acquisition

How did Polyfill JS become an attack vehicle? The domain hosting the code was acquired by a Chinese entity in February 2024. Initially, legitimate content was retained, then replaced with malicious code. Many developers, to save bandwidth and not overload servers, call remote URLs for third-party components. This causes the website to start serving malicious content if the external code is altered. That's exactly what happened with Polyfill JS.

Steps to follow to protect yourself

Andrew Betts, developer of Polyfill JS, warned users to remove references to the compromised domain and stressed that there is no longer any need to use Polyfill JS as the core features are now supported by all browsers. Meanwhile, Cloudflare and Fastly have made secure mirrors of the service available. Furthermore, Google has launched an information campaign to warn website managers of the infiltration, revealing that the problem also affects Bootcss, Bootcdn and Staticfile. Using PublicWWW you can verify the presence of over 500,000 sites compromised by these services. We recommend that you check and remove any references to polyfill.io, bootcss.com, bootcdn.net, and staticfile.org from the code of your web pages.