compromises: polyfill.io publishing infrastructure (#1314)

Signed-off-by: zerb4t <[email protected]> Co-authored-by: Andrés Vega <[email protected]>
cncf · Jul 12, 2024 · 69063b3 · 69063b3
1 parent 41bf434
commit 69063b3
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/supply-chain-security/compromises/2024/polyfill.md b/supply-chain-security/compromises/2024/polyfill.md
@@ -0,0 +1,26 @@
+<!-- cSpell:ignore fastly staticfile namecheap sansec polyfillpolyfill -->
+# Polyfill.io Infrastructure Takeover Leading to Malware Distribution
+
+In February 2024, a Chinese company acquired control of the `polyfill dot io,com` domains, and the `polyfillpolyfill` GitHub account.
+
+In June 2024, Sansec observed malware being served from the `cdn dot polyfill dot io` domain. Other researchers discovered some of the malware's functions referenced in other domains including BootCSS, BootCDN and Staticfile, and based on exposed API keys in public GitHub repositories, proposed the same threat actor is behind all the domains.
+
+## Impact
+
+* While the observed malware only performed site redirection, malicious control of `cdn dot polyfill dot io` could result in arbitrary malicious JavaScript code execution in users' browsers.
+* Namecheap shut down the domain for a period of time, and some threat feeds flagged the domain as malicious
+* While polyfills shouldn't be required in modern browsers, and despite the project's creator warning users since February to steer away from the `polyfill dot io` domain, this incident prompted Fastly and Cloudflare to offer safer drop-in replacements
+* Google Ads started disapproving ads pointing to sites using the affected domains
+* Sansec estimated this incident affects over 100,000 websites, and Cloudflare's CEO said about 4% of the web used `polyfill dot io`
+
+## Type of Compromise
+
+This is a _publishing infrastructure_ compromise.
+
+## References
+
+* [Sansec Research](https://sansec.io/research/polyfill-supply-chain-attack)
+* [BleepingComputer](https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/)
+* [BleepingComputer](https://www.bleepingcomputer.com/news/security/polyfill-claims-it-has-been-defamed-returns-after-domain-shut-down/)
+* [Fastly Community](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)
+* [Cloudflare Blog](https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/)
diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md
@@ -30,6 +30,7 @@ of compromise needs added, please include that as well.
 <!-- cSpell:disable -->
 | Name              | Year               | Type of compromise    | Link        |
 | ----------------- | ------------------ | ------------------    | ----------- |
+| [Polyfill.io Infrastructure Takeover Leading to Malware Distribution](2024/polyfill.md) | 2024 | Publishing Infrastructure | [1](https://sansec.io/research/polyfill-supply-chain-attack) |
 | [Malware Disguised as Installer used to target Korean Public Institution](2024/targeted-signed-endoor.md) | 2024 | Trust and Signing | [1](https://asec.ahnlab.com/en/63396/) |
 | [3proxy signing incident](2024/laixi-3proxy.md) | 2024 | Trust and Signing | [1](https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/) |
 | [xz backdoor incident](2024/xz.md) | 2024 | Malicious Maintainer | [1](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) |