Polyfill Supply Chain Attack Affects More Than 110,000 Websites

• Security researchers have warned that the domain Polyfill.io has become compromised, spreading malware through a widespread supply chain attack.
• The malicious code generates payloads based on HTTP headers to obfuscate their tracks.

The cdn[.]polyfill[.]io and bootcss[.]com domains are compromised, infecting more than 110,000 websites with malicious code, with security firms sounding the alarm. Websites that have used the Javascript code from Polyfill have been urged to remove such code immediately. The change occurred after a suspected Chinese firm purchased the domain in early 2024.

The site offered widely used bits of code for older browsers that allowed the use of modern Javascript features. Such code makes the work for web developers easier and allows compatibility with a broader range of browsers. However, because the malicious code was inserted in Javascript bits, anyone using an infected website could implement the malware in their browser.

Eyal Paz, VP of Research at OX Security, spoke about the implications of the attack: “The recent Polyfill supply chain attack highlights a critical issue with current-day web development: the trust placed in third-party libraries. In addition, many organizations need help to track the longtail of the software supply chain, and we’re looking at the perfect storm of unmanaged cybersecurity risk.

AppSec teams need complete visibility into all software deployed throughout their organization’s ecosystem. Companies should be able to generate a Software Bill of Materials (SBOM), which provides an accurate inventory of all the application components. Companies must also regularly assess the security posture of third-party libraries, using strong vulnerability management practices, to reduce the probability of transitive vulnerabilities and increased cyber risk.

The best way to stay ahead of attackers is to obtain a single point of view of the application attack surface. Companies should implement a holistic AppSec approach incorporating continuous monitoring, contextual enrichment to help with remediation prioritization, and quick response capabilities to mitigate the most critical vulnerabilities threatening your software security supply chain.”

See More: Compromised WordPress Plugins Enable Creation of Fake Admin Accounts

Websites with infected scripts may redirect users to malicious sites, including pornographic and sports betting websites. Some prominent victims affected by the attack include the World Economic Forum, Intuit, and JSTOR websites. According to security firms, malware has been distributed via the domain since February 2024.

Security researchers have found that the malicious code generates payloads that differ based on HTTP headers, which allow for greater degrees of obfuscation by activating only on specific devices, delaying execution, and avoiding admin users, evading detection.

It has also been observed that Google has been blocking Google Ads on websites using the infected code, presumably to reduce the number of victims. The tech giant has also sent out warnings to site owners. Site owners should take action as soon as possible to mitigate risks for themselves and their users.

LATEST NEWS STORIES

• Amazon Receives FAA Approval to Fly Drones Farther Than Before for Prime Air Service
• ChatGPT Restricted With Feature Delays and Global Availability Issues
• The Julian Assange Saga Comes to an Abrupt End as He Heads to Australia
• Google Introduces Project Naptime To Boost Vulnerability Research Using AI