JavaScript Supply Chain Attack Hits 100,000+ Sites
A massive supply chain attack has struck over 100,000 websites using Polyfill.io's JavaScript code. Sansec reported that a China-based company, after acquiring Polyfill.io, altered its code to redirect visitors to malicious and scam sites (BleepingComputer) (SecurityWeek).
Mitigation and Community Efforts
“Major companies, like Hulu, were still relying on the code”
Sansec went public with their findings, urging website owners to remove the compromised code. Thankfully, ad blockers like uBlock Origin auto-blocked the malicious code, protecting many users. Namecheap also stepped in, nuking the Polyfill.io domain to stop further attacks. This was crucial since major companies, like Hulu, were still relying on the code (Qualys Security Blog) (InfoQ).
Noteworthy: The original creator of the Polyfill project sounded the alarm, while the new owner dismissed the concerns of numerous security researchers, accusing them of slander (BleepingComputer).
What This Means for Web Security
Regular Audits: Consistently audit third-party code to ensure its integrity.
Use Ad Blockers: Ad blockers can provide an extra layer of security.
Collaboration: Transparency and collaboration within the cybersecurity community are essential.
The Polyfill.io attack underscores the importance of being vigilant with third-party dependencies. Stay proactive and informed out there!
For more detailed information, you can read the full reports on Bleeping Computer (BleepingComputer), SecurityWeek (SecurityWeek), and Qualys Security Blog (Qualys Security Blog).
