The recent supply chain breach involving the extensively utilized Polyfill[.]io JavaScript library has unfolded into a more extensive predicament than initially perceived. Fresh insights from Censys disclose that an excess of 380,000 hosts are currently integrating a polyfill script pointing towards the malevolent domain as of July 2, 2024.
The compromised scripts, identified via “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com” URLs within their HTTP responses, are a critical concern, the attack surface management entity reported.
A significant portion, approximately 237,700 hosts, are entrenched within the Hetzner network (AS24940), predominantly based in Germany. “This isn’t entirely unexpected – Hetzner is a preferred web hosting platform, widely adopted by myriad web developers,” the report elucidated.
Further scrutiny of the compromised hosts unveiled affiliations with esteemed entities such as WarnerBros, Hulu, Mercedes-Benz, and Pearson, all referencing the nefarious endpoint in question.
Revelations of the attack surfaced in late June 2024 when Sansec issued an alert indicating that code hosted on the Polyfill domain had been altered to reroute users to sites featuring adult and gambling content. These code modifications were designed to activate redirections only at specific times of the day and selectively target certain visitors.
The malevolent conduct reportedly commenced subsequent to the sale of the domain and its associated GitHub repository to a Chinese enterprise named Funnull in February 2024.
This incident has instigated several countermeasures: domain registrar Namecheap suspended the domain, content delivery networks like Cloudflare commenced automatic substitution of Polyfill links with domains leading to alternative safe mirror sites, and Google initiated a block on ads for sites embedding the domain.
Despite efforts to reestablish the service under a new domain, polyfill[.]com, it was similarly decommissioned by Namecheap as of June 28, 2024. Among two additional domains registered by the operators in early July – polyfill[.]site and polyfillcache[.]com – the latter remains operational.
Moreover, an expansive array of potentially associated domains, such as bootcdn[.]net, bootcss[.]com, staticfile[.]net, staticfile[.]org, unionadjs[.]com, xhsbpza[.]com, union.macoms[.]la, and newcrbpc[.]com, have been linked to the custodians of Polyfill, suggesting this incident might be part of a broader malicious agenda.
“One domain in particular, bootcss[.]com, has been implicated in malfeasance strikingly similar to the Polyfill[.]io exploit, with evidence tracing back to June 2023,” Censys stated, further revealing that it detected 1.6 million publicly accessible hosts linking to these dubious domains.
“It wouldn’t be entirely implausible to conjecture that the same nefarious actor behind the polyfill.io breach might leverage these other domains for analogous malevolent endeavors in the future.”
This development coincides with warnings from WordPress security firm Patchstack about cascading risks posed by the Polyfill supply chain attack on sites using the content management system (CMS) via numerous legitimate plugins that reference the rogue domain.