close
close

Supply chain attacks carried out via the Polyfill.io service

Threat actors are using the popular Polyfill.io service to carry out large-scale supply chain attacks, sending shockwaves throughout the infosec industry.

In a blog post on Tuesday, researchers from Dutch cybersecurity provider Sansec revealed a massive supply chain campaign within Polyfill.io, a widely used JavaScript library service. Sansec discovered that threat actors were injecting malicious polyfill payloads into more than 100,000 websites. Researchers first observed the activity starting in February, after Chinese company Funnull took over the Polyfill.io domain and GitHub account.

Sansec highlighted that the domain injects malware into mobile devices via any website that embeds it using the cdn.polyfill.io domain. Although the open-source library is used to support older browsers, the potential scope of the attack is large. According to SanSec, more than 100,000 websites, including Intuit and the World Economic Forum, use Polyfill.

Manipulating GitHub features and accounts to conduct supply chain attacks was a growing trend in 2024.

“The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely,” Sansec wrote in the blog.

Researchers investigated an incident where Polyfill was maliciously used to redirect mobile users to a sports betting website using a fake Google Analytics domain. Sansec warned that the code was written with reverse engineering protection and only activated on certain devices at certain times. Even more alarming, the code did not activate when it detected an administrator user and delayed execution when a web analytics service was found.

“The original author of Polyfill recommends not using Polyfill at all, as it is no longer required by modern browsers anyway,” the blog states.

Sansec updated the blog on Wednesday, explaining that DDoS attacks occurred after publishing its Polyfill.io research. In addition, the researchers said Namecheap has put the domain on hold, which “eliminates the risk for now.” Security researchers had previously found that Funnull had registered several backup domains for Polyfill.io with Namecheap and other domain name registrars.

Funnull released a statement on X (formerly Twitter) on Wednesday denying that the Polyfill.io service was involved in malicious activities.

Mitigating the threat to the supply chain

Cloudflare announced Wednesday that it had taken drastic action against Polyfill.io and Funnull, essentially removing the domain from Cloudflare’s CDN. Like SanSec and other vendors, Cloudflare observed threat actors using the service to inject malicious JavaScript code into users’ browsers. Researchers warned users not to trust the JavaScript library service for many reasons, including false statements about Cloudflare on the Polyfill.io website.

Cloudflare recommended removing the service completely from websites.

“Given the popularity of this library, this is a real threat to the Internet at large,” Cloudflare wrote in the blog post. “We have released an automatic JavaScript URL rewriting service in the last 24 hours that rewrites any link to polyfill.io found on a Cloudflare-proxied site to a link to our mirror at cdnjs. This prevents the site’s functionality from being compromised while also reducing the risk of a supply chain attack.”

Cloudflare added that the feature is automatically enabled on every website on the free plan. In February, Cloudflare created its own mirror of the Polyfill.io website due to suspicions about the domain’s new owner, Funnull. At the time, Cloudflare stressed that Funnell was a relatively unknown company, raising concerns about supply chain risks.

“The new owner was unknown in the industry and did not have a trustworthy track record to manage a project like polyfill.io. The concern, expressed even by the original author, was that if they were to abuse polyfill.io by injecting additional code into the library, it could cause widespread security issues on the Internet that would affect several hundred thousand websites,” the blog post said.

Cloudflare added that its concerns about supply chain attacks were confirmed on Tuesday when Polyfill.io users were redirected to malicious websites. The blog stressed that Cloudflare did not block the domain due to widespread concerns about web outages. Cloudflare said it estimates that Polyfill.io is used “on nearly 4% of all websites.”

Cloud service provider Fastly also created a mirror image of Polyfill.io before being acquired by Funnull, raising similar concerns about potential supply chain threats.

TechTarget reached out to Cloudflare and Sansec for further comment, but the companies had not responded at press time.

Arielle Waldman is a news editor at TechTarget Editorial and writes about enterprise security.