Polyfill Fuels Supply Chain Concerns with Malicious Redirects: +100,000 Websites Affected
Latest Update: “Polyfill Issue Affects +380,000 Hosts and Major Companies, With Ongoing New Domain Registrations”
Researchers have issued a warning about a new supply chain attack originating from the Polyfill[.]io service. Alarmingly, this attack has affected at least 100,000 websites.
Polyfill is an open-source library that ensures your website’s code remains functional even in outdated browsers. By using Polyfill, older browsers can support modern features, allowing users to access the same functionalities as they would on newer browsers.
What Caused the Polyfill Supply Chain Attack?
The supply chain attack linked to Polyfill[.]io began after a Chinese company, “Funnull,” took over its domain and altered the script to reroute users to malicious websites.
Sansec warned about this on June 25, 2024, reporting that Funnull acquired both Polyfill’s domain and its GitHub account in February 2024, using the compromised domain to spread malware to mobile devices via any site utilizing “cdn.polyfill.io.”
The Polyfill[.]io service was redirected to polyfill.io.bsclink.cn, which is controlled by Funnull. As a result, developers who embed cdn.polyfill.io scripts inadvertently pull code from Funnull’s site, causing visitors to be redirected to unwanted destinations.
Numerous complaints regarding the subject surfaced on GitHub, though they were swiftly removed. An archive of these comments is available here for further context.
Capabilities of the Malicious Script
In observed cases, the script directed users to scam sites by using a fake Google Analytics domain or other redirect URLs (see the IoCs section). Researchers mention that this script is resistant to reverse engineering, which makes it difficult to analyze.
Sansec researchers mention that the script is resistant to reverse engineering, which makes it difficult to analyze. It activates only on specific mobile devices, at certain times, and remains inactive when detecting an admin user, delaying execution if a web analytics service is found, in order to evade detection.
At this point, the cdn.polyfill.io domain redirects to a Cloudflare mirror. Yet since the DNS servers for the domain remain the same, the owners can revert to their original domains.
What Is the Scope of This Supply Chain Attack?
More than 100,000 websites currently embed Polyfill using the “cdn.polyfill.io” domain. Given that each of these sites could attract thousands of visitors daily, the risks are substantial, highlighting the extensive impact of this supply chain attack.
Can’t Use Polyfill; Here’s What to Do
Due to the severity of the issue, Andrew Betts, the original author of Polyfill, advises against using Polyfill altogether, as modern browsers no longer need it. He emphasizes that it should be removed ‘immediately’.
Betts further states, “No website today requires any of the polyfills in the polyfill[.]io library. Most new web platform features are quickly adopted by all major browsers. Exceptions, like Web Serial and Web Bluetooth, generally can’t be polyfilled anyway.”
With developers reporting that Polyfill is redirecting to specific wallet sites or delivering ambiguous eval code, its use is completely inadvisable.
For those needing similar services, Cloudflare and Fastly offer alternatives to Polyfill. It is recommended to use services from these trusted providers or to self-host the repository to minimize the risk of a supply chain attack.
Google’s Warning
Google has issued a warning that landing pages containing the malicious code can redirect visitors away from the intended site without the website owner’s knowledge or permission. Consequently, the Google Ads for e-commerce sites using Polyfill[.]io are now being blocked.
Additionally, Google reports that Bootcss[.]com, Bootcdn[.]net, and Staticfile[.]org have also been found causing unwanted redirects, potentially expanding the scope of the supply chain attacks.
Nevertheless, the Polyfill[.]io service remains active, continuing to pose a significant threat.
Swift Actions by Namecheap and Cloudflare in Response to Polyfill Supply Chain Attack
The Polyfill supply chain attack has prompted rapid responses from both Namecheap and Cloudflare.
Silent Push has been tweeting about affected sites on the social platform X, including major names like Hulu, Warner Bros, and Telegraph UK. They also reported analyzing government websites with JavaScript from polyfill[.]io; high-profile users like Atlassian, Square, Sendgrid, and JSTOR were also impacted.
Given the number of sites that use Polyfill and the community’s concerns, Namecheap, the domain registrar, made the Polyfill.io domain inaccessible.
Cloudflare also intervened by creating a secure mirror of the Polyfill service under their cdnjs domain. They implemented an automatic URL rewriting feature for sites using Cloudflare, redirecting Polyfill.io links to their secure mirror.
Polyfill Relaunches, Accuses Cloudflare of ‘Baseless’ Claims
The owners of Polyfill.io have relaunched the JavaScript CDN service on a new domain, polyfill.com, after Namecheap shut down the original polyfill.io for distributing malicious code to over 100,000 websites. They claim the shutdown resulted from “malicious defamation” and “media slander.”
Polyfill’s owners assert there are no supply chain risks and that all services are cached in Cloudflare. In a series of posts on the social platform X, they denied involvement in any supply chain attack and called the allegations baseless.
However, as the original author of Polyfill.io previously commented and other observations suggest, the Polyfill service is unreliable. Funnull, the company behind Polyfill, raises even further suspicions due to conflicting information about its origins and operations. The company claims various global locations and dubious contact details while suggesting a possible Chinese connection, and its intentions remain unclear.
In their latest tweet, the Polyfill owners adopt a spiteful tone, accusing Cloudflare of making baseless and malicious comments, although, according to Cloudflare, they had previously named Cloudflare on their site without authorization.
Namecheap Deactivates Polyfill.com; Researchers Find the Origin of the Supply Chain Attack
Namecheap has recently deactivated the polyfill.com domain, which had surfaced to replace the original polyfill.io. Additionally, the Polyfill supply chain issue has been traced back to a GitHub repository that exposed sensitive information, including API keys and configuration settings.
This leak enabled researchers to attribute the attack to a single entity managing multiple CDN services, such as BootCDN, Bootcss, and Staticfile, alongside Polyfill.io. The exposed data revealed how these services were interconnected and controlled by the same entity, leading to widespread impact across numerous websites.
The discovery was a collaborative effort by Ze-Zheng Wu, @mdmck10, and the MalwareHunterTeam.
They found that the GitHub repository contained a .env file, which inadvertently revealed Cloudflare API tokens, Zone IDs, and Algolia API keys. These findings connected the domains managed under the same Cloudflare account, leading to a single threat actor or group behind the supply chain attacks.
MalwareHunterTeam emphasized the significance of the additional domains (bootcss.com, bootcdn.net, and staticfile.org) that Google previously highlighted in a warning to advertisers, which had been overlooked by many. It is estimated that the combined impact could affect over 350,000 websites.
According to a researcher’s Tweet, the malicious code related to these attacks had been circulating on Chinese forums since June 2023.
There are concerns that the threat actor/s behind the supply chain attack may have preemptively registered multiple domains, potentially leading to ongoing issues.
Infected WordPress Plugins Raise Threat of Supply Chain Attacks
Numerous WordPress plugins have been injected with malicious PHP code, which exfiltrates database credentials and allows creating new unauthorized administrator accounts.
Reportedly, a malicious threat actor compromised the source code of these plugins, including those listed below:
- Social Warfare
- Affected versions: 4.4.6.4 to 4.4.7.1
- Fixed version: 4.4.7.3
- Blaze Widget
- Affected versions: 2.2.5 to 2.5.2
- Fixed version: 2.5.4
- Wrapper Link Element
- Affected versions: 1.0.2 to 1.0.3
- Fixed version: 1.0.5
- Contact Form 7 Multi-Step Addon
- Affected versions: 1.0.4 to 1.0.5
- Fixed version: 1.0.7
- Simply Show Hooks
- Affected versions: 1.2.1 to 1.2.2
- No available fixes
Wordfence advises users to uninstall the compromised plugins and perform a thorough malware scan. While one plugin still lacks a fix, current evidence indicates that the issue is confined to the five identified plugins, though other WordPress plugins could potentially be affected.
How Did the Threat Actor Infect WordPress Plugins?
The attack was discovered by Wordfence, and a CVE identifier was publicly assigned on June 24, 2024: CVE-2024-6297 (CVSS: 10/10). The injections took place between June 21 and June 22, however, how the threat actor accessed the source code of the plugins is still unclear.
The injected malware attempts to create new administrative user accounts and sends those details back to an attacker-controlled server. Additionally, the threat actor injected malicious JavaScript into websites’ footers, adding SEO spam throughout the site. The data is transmitted to the IP address 94.156.79[.]8, with the arbitrarily created admin accounts named “Options” and “PluginAuth.”
Exploiting these plugins, malicious actors could create new administrative accounts on WordPress websites, compromise sensitive data, and serve malware to website users.
This development coincides with the release of WordPress 6.5.5, which provides urgent security updates related to several other vulnerabilities, exposing millions of WordPress-powered websites to Cross-site Scripting (XSS) and Path Traversal attacks.
Polyfill Issue Affects +380,000 Hosts and Major Companies, With Ongoing New Domain Registrations
New developments indicate that the supply chain attack is more extensive than initially believed. As of July 2, 2024, it was found that over 380,000 hosts are embedding a script linked to the malicious domain.
Most of the affected hosts are in Germany, particularly within the Hetzner network, a popular web hosting service. Domains associated with major companies such as Warner Bros, Hulu, Mercedes-Benz, and Pearson were also found to be referencing Polyfill.
Patchstack has also pointed out the ongoing risks to CMS sites due to many legitimate plugins connecting to the compromised domain. For details on the affected plugins, visit here.
Also noteworthy is that after the initial failed relaunch with polyfill[.]com, owners attempted to register new domains: polyfill[.]site, polyfillcache[.]com, and another that just emerged today, polyfill[.]top. These domains will likely continue being taken down as the threat persists, with the community actively tracking the issue.
Recommendations to Prevent Malicious Redirections
To protect against malicious redirections from compromised third-party services like Polyfill, consider the following measures:
- Subresource Integrity (SRI): Use SRI to ensure that the files you fetch (such as scripts or stylesheets) are delivered without unexpected modifications. This helps protect your site against malicious changes to external resources.
- Self-Hosting Critical Resources: When possible, self-host critical JavaScript libraries and resources instead of relying on third-party CDNs. This reduces the risk of supply chain attacks.
- Monitor Third-Party Services: Conduct regular security audits of your website’s third-party dependencies. Verify that all external scripts and resources are trustworthy and up to date.
- Automatic URL Rewriting: Implement automatic URL rewriting features available from providers like Cloudflare, which can redirect requests from compromised domains to secure mirrors.
- Content Security Policy (CSP): Deploy CSP headers to restrict the sources from which your site can load resources. This can help mitigate the impact of malicious scripts.
Indicators of Compromise (IoCs) Related to Polyfill Supply Chain Attack
- https://kuurza[.]com/redirect?from=bitget
- https://www.googie-anaiytics[.]com/html/checkcachehw.js
- https://www.googie-anaiytics[.]com/ga.js
- https://cdn.bootcss[.]com/highlight.js/9.7.0/highlight.min.js
- https://union.macoms[.]la/jquery.min-4.0.2.js
- https://newcrbpc[.]com/redirect?from=bscbc
- bootcdn[.]net
- staticfile[.]net
- staticfile[.]org
- unionadjs[.]com
- xhsbpza[.]com
Indicators of Compromise (IoCs) Related to Compromise of WordPress Plugins
Attacker-controlled server’s IP address:
- 94.156.79.8
Known usernames of attacker-generated administrative user accounts:
- Options
- PluginAuth
Attackers often exploit third-party vendors, tools, and services in supply chain attacks to distribute malware. To prevent these threats and enhance your security posture, SOCRadar offers the Supply Chain Intelligence module.
This module alerts you on companies that have been targets of cyberattacks, provides actionable intelligence, and ensures you stay protected from weaknesses in your supply chain.
Monitor and Strengthen Your Supply Chain Security with SOCRadar
SOCRadar provides the much-needed Cyber Threat Intelligence (CTI) to empower your organization against cyber incidents, providing proactive insights into potential threats.
CTI solutions like SOCRadar enhance supply chain visibility by mapping the attack surface, offering early vulnerability detection, and assisting in implementing effective cybersecurity measures.
SOCRadar’s Supply Chain Intelligence module provides you with real-time cybersecurity updates, reports, and alarms, ensuring you remain informed about emerging threats targeting your organization’s supply chain.
Additionally, the platform provides insights into global trends for country and sector-specific attacks, enabling you to forecast and defend against supply chain threats.