AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Polyfill JS supply chain attack: what happened

A detailed analysis of the cyber attack that compromised a library essential for JavaScript compatibility in browsers

Supply chain attacks on open source projects have increased in recent times. Polyfill JS, used to improve browser compatibility, was compromised by a malicious domain. Developers should remove references to this domain to protect themselves.

This pill is also available in Italian language

In recent times, supply chain attacks against open source projects have been on the rise. These attacks aim to infiltrate one or more links in the distribution chain of a respected software. The attackers' goal is to alter trusted components by exploiting the trust placed in them, and then target a specific group of victims. After the backdoor episode in XZ Utils, a new case involves Polyfill JS, a popular library that fills compatibility gaps in browsers, ensuring the use of the latest JavaScript features even on older software.

Sansec investigations into compromised sites

Sansec experts discovered that websites using Polyfill JS have started distributing malicious code. The common thread is a reference to a domain similar to Google Analytics, with "l" replaced by "i" (googie-anaiytics). Uploading code hosted on this domain leads to downloading malware or opening unwanted pages. Sansec found that the code varies depending on HTTP headers, includes protections against reverse engineering, and only activates on specific mobile devices at certain times. Famous victims include the World Economic Forum website and JSTOR. According to PublicWWW , over 100,000 sites use Polyfill JS, demonstrating the extent of the problem which also seems to involve the portal of the Agency for Digital Italy (AgID).

Polyfill JS domain acquisition

How did Polyfill JS become an attack vehicle? The domain hosting the code was acquired by a Chinese entity in February 2024. Initially, legitimate content was retained, then replaced with malicious code. Many developers, to save bandwidth and not overload servers, call remote URLs for third-party components. This causes the website to start serving malicious content if the external code is altered. That's exactly what happened with Polyfill JS.

Steps to follow to protect yourself

Andrew Betts, developer of Polyfill JS, warned users to remove references to the compromised domain and stressed that there is no longer any need to use Polyfill JS as the core features are now supported by all browsers. Meanwhile, Cloudflare and Fastly have made secure mirrors of the service available. Furthermore, Google has launched an information campaign to warn website managers of the infiltration, revealing that the problem also affects Bootcss, Bootcdn and Staticfile. Using PublicWWW you can verify the presence of over 500,000 sites compromised by these services. We recommend that you check and remove any references to,,, and from the code of your web pages.

Follow us on WhatsApp for more pills like this

06/27/2024 04:33

Marco Verro

Last pills

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report

AT&T: data breach discovered that exposes communications of millions of usersDigital security compromised: learn how a recent AT&T data breach affected millions of users

New critical vulnerability discovered in OpenSSH: remote code execution riskFind out how a race condition in recent versions of OpenSSH puts system security at risk: details, impacts and solutions to implement immediately

Discovery of an AiTM attack campaign on Microsoft 365A detailed exploration of AiTM attack techniques and mitigation strategies to protect Microsoft 365 from advanced compromises