Skip to content

Polyfill supply chain attack hits 100K+ sites

Polyfill supply chain attack hits 100K+ sites
The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites.

Table of Contents

A supply chain attack has affected over 100,000 websites, as reported by the Sansec Forensics Team. The popular Polyfill JS project, now owned by a Chinese company, has been found to inject malware into sites that embed the domain. Notable users such as JSTOR, Intuit, and the World Economic Forum have been affected. The malware redirects mobile users to a sports betting site using a fake Google analytics domain. The original author of Polyfill recommends not using it, as modern browsers no longer require it. Google has already started blocking Google Ads for eCommerce sites using Fastly and Cloudflare have provided trustworthy alternatives for those who still need it. This incident is a typical example of a supply chain attack, and Sansec recommends using their free CSP monitoring service, Sansec Watch, to get visibility into the code that users are loading. Their eComscan backend scanner has also been updated with detection.