The registrar has suspended the domain of the JavaScript library 'Polyfill.io' after it was discovered to be infected with malware.
Domain registrar Namecheap has suspended the domain of Polyfill.io, a JavaScript library that was found to be infected with malware .
Namecheap Takes Down Polyfill.io Service Following Supply Chain Attack - Socket
https://socket.dev/blog/namecheap-takes-down-polyfill-io-service-following-supply-chain-attack
'Polyfill.io (polyfill.js)' is a JavaScript library developed by Andrew Betts that allows developers to develop without worrying about differences in functionality between versions of web browsers. Betts has already left the project, and Jake Champion, who was the maintainer, took over the project, which was sold to China's Funnull in February 2024. After the ownership changed to Funnull, attempts to infect malware on mobile devices have been confirmed via sites that embed cdn.polyfill.io.
Malware infects JavaScript library 'Polyfill.io' affecting over 100,000 sites - GIGAZINE
It has been pointed out that the number of websites embedded with cdn.polyfill.io exceeds 110,000, and affected companies include Atlassian, Sendgrid, JSTOR, Intuit, World Economic Forum, FlatIcon, SiteGround, government websites, etc. Google has issued a warning to companies with websites affected by Polyfill.io.
Google is now sending a warning about loading 3rd party JS from domains like polyfill.io bootcss.com bootcdn.net & staticfile.org that may do nasty things to your users if your site uses JS from these domains. pic.twitter.com/EUVAgbFXJn
— Michal Špaček (@spazef0rze) June 25, 2024
In response to the impact of Polyfill.io, domain registrar Namecheap has decided to remove Polyfill.io’s domain, “polyfill.io.”
Very important/big update: in the past hour, @Namecheap finally decided to nuke the polyfill[.]io domain.
— MalwareHunterTeam (@malwrhunterteam) June 26, 2024
No 👏 for them, not at all, because it took them way too much time than it should have, but probably a little thanks still for doing late than never doing it...
🤷♂️ pic.twitter.com/BIJgjGpvhP
Please note that self-hosted polyfill.js instances and instances hosted by more trusted organizations are not affected by this issue. Additionally, Cloudflare and Fastly provide alternative clones of Polyfill.io at the time of writing.
Tens of millions of websites (4% of the web) use Polyfill(.)io. Extremely concerning malware has been discovered impacting any site using Polyfill. Cloudflare is stepping in with a secure clone and a service to automatically replace Polyfill on pages. https://t.co/oOFWhqBMQp
— Matthew Prince 🌥 (@eastdakota) June 26, 2024
On the other hand, the official Polyfill.io X (formerly Twitter) account posted, 'We have found media messages slandering Polyfill.io. Our services are cached by Cloudflare and there is no risk to our supply chain,' denying the allegation that Polyfill.io contains malware.
We found media messages slandering polyfill. We want to explain that all our services are cached in Cloudflare and there is no supply chain risk.
— Polyfill (@Polyfill_Global) June 25, 2024
Furthermore, they claim that Polyfill.io's services are not at risk, stating, 'Someone has maliciously defamed us. All content is statically cached, so there is no risk to the supply chain. If a third party were involved, it could pose a potential risk to your website. But no one would do that, as it would put our reputation at risk.'
Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website,
— Polyfill (@Polyfill_Global) June 26, 2024
But no one would do this as it would jeopardize our own reputation.
We already have…
However, security platform Socket claims that Polyfill.io is dangerous, and at the time of writing, it has listed the following four fixes for those who are using Polyfill.io's services:
1: Any sites using cdn.polyfill.io should remove it immediately.
2: If you're not sure whether you're using the Polyfill.io service, Polykill , which tracks supply chain attacks, recommends using a code search tool or IDE to search the source code of all projects in your organization for instances of cdn.polyfill.io.
3: If you need Polyfill.io's services, Fastly and Cloudflare offer reliable alternatives.
4: You can also self-host your repository in a secure and managed environment.
Socket also warned, 'Third-party services that are untrusted or have unknowingly ceded rights to new owners are the latest example of the need to audit your project's code. Regularly reviewing and updating your dependencies can help reduce the risk of being caught up in such attacks in the future.'
Related Posts:
