Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

compromises: polyfill.io publishing infrastructure #1314

Merged
merged 2 commits into from
Jul 12, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions supply-chain-security/compromises/2024/polyfill.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<!-- cSpell:ignore fastly staticfile namecheap sansec polyfillpolyfill -->
# Polyfill.io Infrastructure Takeover Leading to Malware Distribution

In February 2024, a Chinese company acquired control of the `polyfill dot io,com` domains, and the `polyfillpolyfill` GitHub account.

In June 2024, Sansec observed malware being served from the `cdn dot polyfill dot io` domain. Other researchers discovered some of the malware's functions referenced in other domains including BootCSS, BootCDN and Staticfile, and based on exposed API keys in public GitHub repositories, proposed the same threat actor is behind all the domains.

## Impact

* While the observed malware only performed site redirection, malicious control of `cdn dot polyfill dot io` could result in arbitrary malicious JavaScript code execution in users' browsers.
* Namecheap shut down the domain for a period of time, and some threat feeds flagged the domain as malicious
* While polyfills shouldn't be required in modern browsers, and despite the project's creator warning users since February to steer away from the `polyfill dot io` domain, this incident prompted Fastly and Cloudflare to offer safer drop-in replacements
* Google Ads started disapproving ads pointing to sites using the affected domains
* Sansec estimated this incident affects over 100,000 websites, and Cloudflare's CEO said about 4% of the web used `polyfill dot io`

## Type of Compromise

This is a _publishing infrastructure_ compromise.

## References

* [Sansec Research](https://sansec.io/research/polyfill-supply-chain-attack)
* [BleepingComputer](https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/)
* [BleepingComputer](https://www.bleepingcomputer.com/news/security/polyfill-claims-it-has-been-defamed-returns-after-domain-shut-down/)
* [Fastly Community](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)
* [Cloudflare Blog](https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/)
1 change: 1 addition & 0 deletions supply-chain-security/compromises/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ of compromise needs added, please include that as well.
<!-- cSpell:disable -->
| Name | Year | Type of compromise | Link |
| ----------------- | ------------------ | ------------------ | ----------- |
| [Polyfill.io Infrastructure Takeover Leading to Malware Distribution](2024/polyfill.md) | 2024 | Publishing Infrastructure | [1](https://sansec.io/research/polyfill-supply-chain-attack) |
| [Malware Disguised as Installer used to target Korean Public Institution](2024/targeted-signed-endoor.md) | 2024 | Trust and Signing | [1](https://asec.ahnlab.com/en/63396/) |
| [3proxy signing incident](2024/laixi-3proxy.md) | 2024 | Trust and Signing | [1](https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/) |
| [xz backdoor incident](2024/xz.md) | 2024 | Malicious Maintainer | [1](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) |
Expand Down
Loading