The registrar has suspended the domain of the JavaScript library 'Polyfill.io' after it was discovered to be infected with malware.



Domain registrar Namecheap has suspended the domain of Polyfill.io, a JavaScript library that was found to be infected with malware .

Namecheap Takes Down Polyfill.io Service Following Supply Chain Attack - Socket
https://socket.dev/blog/namecheap-takes-down-polyfill-io-service-following-supply-chain-attack



'Polyfill.io (polyfill.js)' is a JavaScript library developed by Andrew Betts that allows developers to develop without worrying about differences in functionality between versions of web browsers. Betts has already left the project, and Jake Champion, who was the maintainer, took over the project, which was sold to China's Funnull in February 2024. After the ownership changed to Funnull, attempts to infect malware on mobile devices have been confirmed via sites that embed cdn.polyfill.io.

Malware infects JavaScript library 'Polyfill.io' affecting over 100,000 sites - GIGAZINE



It has been pointed out that the number of websites embedded with cdn.polyfill.io exceeds 110,000, and affected companies include Atlassian, Sendgrid, JSTOR, Intuit, World Economic Forum, FlatIcon, SiteGround, government websites, etc. Google has issued a warning to companies with websites affected by Polyfill.io.




In response to the impact of Polyfill.io, domain registrar Namecheap has decided to remove Polyfill.io’s domain, “polyfill.io.”




Please note that self-hosted polyfill.js instances and instances hosted by more trusted organizations are not affected by this issue. Additionally, Cloudflare and Fastly provide alternative clones of Polyfill.io at the time of writing.




On the other hand, the official Polyfill.io X (formerly Twitter) account posted, 'We have found media messages slandering Polyfill.io. Our services are cached by Cloudflare and there is no risk to our supply chain,' denying the allegation that Polyfill.io contains malware.




Furthermore, they claim that Polyfill.io's services are not at risk, stating, 'Someone has maliciously defamed us. All content is statically cached, so there is no risk to the supply chain. If a third party were involved, it could pose a potential risk to your website. But no one would do that, as it would put our reputation at risk.'




However, security platform Socket claims that Polyfill.io is dangerous, and at the time of writing, it has listed the following four fixes for those who are using Polyfill.io's services:

1: Any sites using cdn.polyfill.io should remove it immediately.
2: If you're not sure whether you're using the Polyfill.io service, Polykill , which tracks supply chain attacks, recommends using a code search tool or IDE to search the source code of all projects in your organization for instances of cdn.polyfill.io.
3: If you need Polyfill.io's services, Fastly and Cloudflare offer reliable alternatives.
4: You can also self-host your repository in a secure and managed environment.

Socket also warned, 'Third-party services that are untrusted or have unknowingly ceded rights to new owners are the latest example of the need to audit your project's code. Regularly reviewing and updating your dependencies can help reduce the risk of being caught up in such attacks in the future.'

in Software,   Security, Posted by logu_ii