Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies

Jul 05, 2024NewsroomSupply Chain Attack / Malware

There has been a broader impact of the supply chain attack on the commonly used Polyfill[.]io JavaScript library than initially assumed, as per the latest discoveries by Censys. They have found that as of July 2, 2024, over 380,000 hosts have integrated a polyfill script connecting to the malicious domain.

Within their HTTP responses, these hosts are making references to either “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com,” as mentioned by the attack surface management company.

The report highlighted that “Around 237,700 of these affected hosts are within the Hetzner network (AS24940), predominantly in Germany,” which is understandable considering Hetzner’s popularity as a web hosting service among website developers.

Upon further examination of the impacted hosts, it has been uncovered that domains linked to well-known companies such as WarnerBros, Hulu, Mercedes-Benz, and Pearson are citing the malicious endpoint in question.

The details of this attack came to light towards the end of June 2024 when Sansec issued an alert about modifications made to the code on the Polyfill domain leading to user redirections toward adult and gambling-related websites. These alterations were designed to trigger redirections at specific times of the day and were targeted only at visitors meeting certain criteria.

It is claimed that this malicious activity started after the domain and its associated GitHub repository were transferred to a Chinese entity named Funnull in February 2024.

Following these events, domain registrar Namecheap suspended the domain, content delivery networks like Cloudflare automatically substituted Polyfill links with domains guiding users to secure mirror sites, and Google blocked ads on sites embedding the domain.

In an attempt to resurrect the service under the new domain polyfill[.]com, Namecheap also suspended it on June 28, 2024. Out of the two additional domains registered by the operators since the beginning of July – polyfill[.]site and polyfillcache[.]com – only the latter is presently functional.

Moreover, a more extensive network of potentially associated domains, including bootcdn[.]net, bootcss[.]com, staticfile[.]net, staticfile[.]org, unionadjs[.]com, xhsbpza[.]com, union.macoms[.]la, newcrbpc[.]com, has been disclosed as linked to the maintainers of Polyfill, indicating that this incident could be part of a wider malicious scheme.

One of these domains, bootcss[.]com, has been observed carrying out activities similar to those of the polyfill[.]io attack, with traces reaching back to June 2023,” Censys stated, identifying 1.6 million public-facing hosts linking to these suspicious domains.

“It isn’t far-fetched to entertain the notion that the same malicious actor behind the polyfill.io attack might exploit these other domains for comparable activities in the future.”

These developments coincide with a warning from the WordPress security company Patchstack regarding the cascading risks posed by the Polyfill supply chain attack on websites powered by the content management system (CMS) through numerous legitimate plugins associating with the rogue domain.