Supply Chain Attack Targeting Polyfill.io Library Impacts Over 380,000 Hosts
In a concerning development, the supply chain attack aimed at the widely-used Polyfill.io JavaScript library has been found to have a larger scope than previously believed. According to recent findings by Censys, over 380,000 hosts are embedding a polyfill script that links to the malicious domain as of July 2, 2024.
The attack surface management firm identified references to “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com” in the HTTP responses of these hosts. Notably, approximately 237,700 of the affected hosts are located within the Hetzner network (AS24940) primarily in Germany. This is unsurprising, as Hetzner is a popular web hosting service that many website developers leverage.
Further analysis of the impacted hosts has revealed domains tied to prominent companies such as WarnerBros, Hulu, Mercedes-Benz, and Pearson. These domains reference the malicious endpoint in question, highlighting the broad reach of the attack.
The details of the attack first came to light in late June 2024 when Sansec reported that the code hosted on the Polyfill domain had been modified to redirect users to adult- and gambling-themed websites. Importantly, the code changes were designed to redirect users at specific times of the day and only against visitors who met certain criteria.
The malicious behavior was introduced after the domain and its associated GitHub repository were sold to a Chinese company named Funnull in February 2024. This change in ownership led to nefarious modifications that compromised the integrity of the library.
In response to these revelations, domain registrar Namecheap promptly suspended the domain. Content delivery networks such as Cloudflare have also taken action to protect users by replacing Polyfill links with domains leading to alternative safe mirror sites. Additionally, Google has blocked ads for sites embedding the malicious domain.
Despite attempts by the attackers to relaunch the service under a different domain, polyfill[.]com, Namecheap took it down on June 28, 2024. Of the two other domains registered since the beginning of July, polyfill[.]site and polyfillcache[.]com, the latter remains operational.
Interestingly, Censys discovered an extensive network of potentially related domains tied to the maintainers of Polyfill. These domains include bootcdn[.]net, bootcss[.]com, staticfile[.]net, staticfile[.]org, unionadjs[.]com, xhsbpza[.]com, union.macoms[.]la, and newcrbpc[.]com. The presence of these domains suggests that the Polyfill attack may be part of a broader malicious campaign.
Censys highlighted that one of these domains, bootcss[.]com, has engaged in similar malicious activities to the polyfill[.]io attack since June 2023. In fact, they found evidence linking 1.6 million public-facing hosts to these suspicious domains. This raises concerns that the same malicious actor responsible for the Polyfill attack may exploit these other domains for similar activities in the future.
The implications of the Polyfill supply chain attack extend beyond the immediate compromise of the library itself. Patchstack, a WordPress security company, warned about the cascading risks faced by websites running the popular content management system (CMS). This is due to dozens of legitimate plugins that link to the rogue Polyfill domain, making them potential avenues for attack.
In conclusion, the supply chain attack targeting the Polyfill.io JavaScript library has turned out to be more extensive than initially believed. With over 380,000 hosts embedding the malicious script, it is clear that this attack has far-reaching implications. The discovery of potentially related malicious domains further underscores the need for vigilance and proactive security measures to protect against similar attacks in the future.
Source link
