The supply chain attack targeting the widely used JavaScript library Polyfill(.)io is larger than previously thought, with new findings from Censys reveals that as of July 2, 2024, more than 380,000 hosts embed a polyfill script that links to a malicious domain.
This includes references to “https://cdn.polyfill(.)io” or “https://cdn.polyfill(.)com” in their HTTP responses, the attack surface management firm said.
“Approximately 237,700 are in the Hetzner network (AS24940), mainly in Germany,” it said. “It’s no surprise – Hetzner is a popular web host and many website developers use it.”
Further analysis of the affected hosts revealed domains associated with well-known companies such as WarnerBros, Hulu, Mercedes-Benz, and Pearson that link to the malicious endpoint in question.
Details of the attack emerged in late June 2024 when Sansec wary this code, hosted on the Polyfill domain, has been modified to redirect users to adult and gambling websites. Code changes were made so that redirects only occurred at certain times of the day and only to visitors who met certain criteria.
The nefarious behavior is said to have been introduced after the domain and its associated GitHub repository were sold to Chinese company Funnull in February 2024.
This has since prompted domain registrar Namecheap to suspend the domain, content delivery networks such as Cloudflare to automatically replace Polyfill links with domains leading to alternative secure mirror sites, and Google to block ads for sites that embed the domain.
While the operators tried to restart the service under another domain called polyfill(.)com, it was also removed by Namecheap as of June 28, 2024 two other domains registered by them since the beginning of July – polyfill(.)site and polyfillcache(.)com – the latter continues to work.
Also, more branched network potentially related domains, including bootcdn(.)net, bootcss(.)com, staticfile(.)net, staticfile(.)org, unionadjs(.)com, xhsbpza(.)com, union.macoms(.)la , newcrbpc(.)com, was found to be associated with Polyfill maintainers, indicating that the incident may be part of a wider malicious campaign.
“One of these domains, bootcss(.)com, has been seen in malicious activity very similar to the polyfill(.)io attack, with evidence dating back to June 2023,” Censys noted, adding that 1.6 million public hosts that link to these suspicious domains.
“It would not be entirely unreasonable to consider the possibility that the same attacker responsible for the polyfill.io attack could use these other domains for similar activities in the future.”
The development comes as WordPress security company Patchstack warned the cascading risks associated with a Polyfill supply chain attack on sites running a content management system (CMS) via dozens of legitimate plugins linking to a spoofed domain.
