SOCRadar® Cyber Intelligence Inc. | Polyfill Fuels Supply Chain Concerns with Malicious Redirects: +100,000 Websites Affected


Jun 26, 2024
12 Mins Read

Polyfill Fuels Supply Chain Concerns with Malicious Redirects: +100,000 Websites Affected

Latest Update: “Polyfill Issue Affects +380,000 Hosts and Major Companies, With Ongoing New Domain Registrations”

Researchers have issued a warning about a new supply chain attack originating from the Polyfill[.]io service. Alarmingly, this attack has affected at least 100,000 websites.

Polyfill is an open-source library that ensures your website’s code remains functional even in outdated browsers. By using Polyfill, older browsers can support modern features, allowing users to access the same functionalities as they would on newer browsers.

What Caused the Polyfill Supply Chain Attack?

The supply chain attack linked to Polyfill[.]io began after a Chinese company, “Funnull,” took over its domain and altered the script to reroute users to malicious websites.

Sansec warned about this on June 25, 2024, reporting that Funnull acquired both Polyfill’s domain and its GitHub account in February 2024, using the compromised domain to spread malware to mobile devices via any site utilizing “” 

The Polyfill[.]io service was redirected to, which is controlled by Funnull. As a result, developers who embed scripts inadvertently pull code from Funnull’s site, causing visitors to be redirected to unwanted destinations.

Numerous complaints regarding the subject surfaced on GitHub, though they were swiftly removed. An archive of these comments is available here for further context.

Capabilities of the Malicious Script

In observed cases, the script directed users to scam sites by using a fake Google Analytics domain or other redirect URLs (see the IoCs section). Researchers mention that this script is resistant to reverse engineering, which makes it difficult to analyze.

Sansec researchers mention that the script is resistant to reverse engineering, which makes it difficult to analyze. It activates only on specific mobile devices, at certain times, and remains inactive when detecting an admin user, delaying execution if a web analytics service is found, in order to evade detection.

At this point, the domain redirects to a Cloudflare mirror. Yet since the DNS servers for the domain remain the same, the owners can revert to their original domains.

What Is the Scope of This Supply Chain Attack?

More than 100,000 websites currently embed Polyfill using the “” domain. Given that each of these sites could attract thousands of visitors daily, the risks are substantial, highlighting the extensive impact of this supply chain attack.

Results for websites using “” (PublicWWW)

Results for websites using “” (PublicWWW)

You can easily monitor digital assets with SOCRadar’s Attack Surface Management (ASM) module, and find those involving Polyfill.

Monitor assets for Polyfill with SOCRadar’s Digital Footprint, under the ASM module

Monitor assets for Polyfill with SOCRadar’s Digital Footprint, under the ASM module

Can’t Use Polyfill; Here’s What to Do

Due to the severity of the issue, Andrew Betts, the original author of Polyfill, advises against using Polyfill altogether, as modern browsers no longer need it. He emphasizes that it should be removed ‘immediately’.

Tweet by the author (Source: X)

Tweet by the author (Source: X)

Betts further states, “No website today requires any of the polyfills in the polyfill[.]io library. Most new web platform features are quickly adopted by all major browsers. Exceptions, like Web Serial and Web Bluetooth, generally can’t be polyfilled anyway.”

With developers reporting that Polyfill is redirecting to specific wallet sites or delivering ambiguous eval code, its use is completely inadvisable.

For those needing similar services, Cloudflare and Fastly offer alternatives to Polyfill. It is recommended to use services from these trusted providers or to self-host the repository to minimize the risk of a supply chain attack.

Google’s Warning

Google has issued a warning that landing pages containing the malicious code can redirect visitors away from the intended site without the website owner’s knowledge or permission. Consequently, the Google Ads for e-commerce sites using Polyfill[.]io are now being blocked.

Additionally, Google reports that Bootcss[.]com, Bootcdn[.]net, and Staticfile[.]org have also been found causing unwanted redirects, potentially expanding the scope of the supply chain attacks.

Google Ads alert (Source: X)

Google Ads alert (Source: X)

Nevertheless, the Polyfill[.]io service remains active, continuing to pose a significant threat.

Swift Actions by Namecheap and Cloudflare in Response to Polyfill Supply Chain Attack

The Polyfill supply chain attack has prompted rapid responses from both Namecheap and Cloudflare.

Silent Push has been tweeting about affected sites on the social platform X, including major names like Hulu, Warner Bros, and Telegraph UK. They also reported analyzing government websites with JavaScript from polyfill[.]io; high-profile users like Atlassian, Square, Sendgrid, and JSTOR were also impacted.

A researcher tweeted about Namecheap's critical action against the domain, highlighting the change on (Source: X)

A researcher tweeted about Namecheap’s critical action against the domain, highlighting the change on (Source: X)

Given the number of sites that use Polyfill and the community’s concerns, Namecheap, the domain registrar, made the domain inaccessible.

Cloudflare also intervened by creating a secure mirror of the Polyfill service under their cdnjs domain. They implemented an automatic URL rewriting feature for sites using Cloudflare, redirecting links to their secure mirror.

Polyfill Relaunches, Accuses Cloudflare of ‘Baseless’ Claims

The owners of have relaunched the JavaScript CDN service on a new domain,, after Namecheap shut down the original for distributing malicious code to over 100,000 websites. They claim the shutdown resulted from “malicious defamation” and “media slander.”

Polyfill claims there is “no supply chain risk” (X), Polyfill supply chain attack

Polyfill claims there is “no supply chain risk” (X)

Polyfill’s owners assert there are no supply chain risks and that all services are cached in Cloudflare. In a series of posts on the social platform X, they denied involvement in any supply chain attack and called the allegations baseless.

However, as the original author of previously commented and other observations suggest, the Polyfill service is unreliable. Funnull, the company behind Polyfill, raises even further suspicions due to conflicting information about its origins and operations. The company claims various global locations and dubious contact details while suggesting a possible Chinese connection, and its intentions remain unclear.

In their latest tweet, the Polyfill owners adopt a spiteful tone, accusing Cloudflare of making baseless and malicious comments, although, according to Cloudflare, they had previously named Cloudflare on their site without authorization.

Polyfill comes forward, yet again, with denials and alleged improvements (X), Polyfill supply chain attack

Polyfill comes forward, yet again, with denials and alleged improvements (X)

Namecheap Deactivates; Researchers Find the Origin of the Supply Chain Attack

Namecheap has recently deactivated the domain, which had surfaced to replace the original Additionally, the Polyfill supply chain issue has been traced back to a GitHub repository that exposed sensitive information, including API keys and configuration settings.

Namecheap has suspended (X)

Namecheap has suspended (X)

This leak enabled researchers to attribute the attack to a single entity managing multiple CDN services, such as BootCDN, Bootcss, and Staticfile, alongside The exposed data revealed how these services were interconnected and controlled by the same entity, leading to widespread impact across numerous websites.

The discovery was a collaborative effort by Ze-Zheng Wu, @mdmck10, and the MalwareHunterTeam.

They found that the GitHub repository contained a .env file, which inadvertently revealed Cloudflare API tokens, Zone IDs, and Algolia API keys. These findings connected the domains managed under the same Cloudflare account, leading to a single threat actor or group behind the supply chain attacks.

MalwareHunterTeam emphasized the significance of the additional domains (,, and that Google previously highlighted in a warning to advertisers, which had been overlooked by many. It is estimated that the combined impact could affect over 350,000 websites.

According to a researcher’s Tweet, the malicious code related to these attacks had been circulating on Chinese forums since June 2023.

The researcher’s Tweet (X)

The researcher’s Tweet (X)

There are concerns that the threat actor/s behind the supply chain attack may have preemptively registered multiple domains, potentially leading to ongoing issues.

Infected WordPress Plugins Raise Threat of Supply Chain Attacks

Numerous WordPress plugins have been injected with malicious PHP code, which exfiltrates database credentials and allows creating new unauthorized administrator accounts.

Reportedly, a malicious threat actor compromised the source code of these plugins, including those listed below:

  • Social Warfare
    • Affected versions: to
    • Fixed version:
  • Blaze Widget
    • Affected versions: 2.2.5 to 2.5.2
    • Fixed version: 2.5.4
  • Wrapper Link Element
    • Affected versions: 1.0.2 to 1.0.3
    • Fixed version: 1.0.5
  • Contact Form 7 Multi-Step Addon
    • Affected versions: 1.0.4 to 1.0.5
    • Fixed version: 1.0.7
  • Simply Show Hooks
    • Affected versions: 1.2.1 to 1.2.2
    • No available fixes

Wordfence advises users to uninstall the compromised plugins and perform a thorough malware scan. While one plugin still lacks a fix, current evidence indicates that the issue is confined to the five identified plugins, though other WordPress plugins could potentially be affected.

How Did the Threat Actor Infect WordPress Plugins?

The attack was discovered by Wordfence, and a CVE identifier was publicly assigned on June 24, 2024: CVE-2024-6297 (CVSS: 10/10). The injections took place between June 21 and June 22, however, how the threat actor accessed the source code of the plugins is still unclear.

Vulnerability card of CVE-2024-6297 (SOCRadar Vulnerability Intelligence)

Vulnerability card of CVE-2024-6297 (SOCRadar Vulnerability Intelligence)

The injected malware attempts to create new administrative user accounts and sends those details back to an attacker-controlled server. Additionally, the threat actor injected malicious JavaScript into websites’ footers, adding SEO spam throughout the site. The data is transmitted to the IP address 94.156.79[.]8, with the arbitrarily created admin accounts named “Options” and “PluginAuth.”

Exploiting these plugins, malicious actors could create new administrative accounts on WordPress websites, compromise sensitive data, and serve malware to website users.

This development coincides with the release of WordPress 6.5.5, which provides urgent security updates related to several other vulnerabilities, exposing millions of WordPress-powered websites to Cross-site Scripting (XSS) and Path Traversal attacks.

Polyfill Issue Affects +380,000 Hosts and Major Companies, With Ongoing New Domain Registrations

New developments indicate that the supply chain attack is more extensive than initially believed. As of July 2, 2024, it was found that over 380,000 hosts are embedding a script linked to the malicious domain.

Most of the affected hosts are in Germany, particularly within the Hetzner network, a popular web hosting service. Domains associated with major companies such as Warner Bros, Hulu, Mercedes-Benz, and Pearson were also found to be referencing Polyfill.

Patchstack has also pointed out the ongoing risks to CMS sites due to many legitimate plugins connecting to the compromised domain. For details on the affected plugins, visit here.

Also noteworthy is that after the initial failed relaunch with polyfill[.]com, owners attempted to register new domains: polyfill[.]site, polyfillcache[.]com, and another that just emerged today, polyfill[.]top. These domains will likely continue being taken down as the threat persists, with the community actively tracking the issue.

Recommendations to Prevent Malicious Redirections

To protect against malicious redirections from compromised third-party services like Polyfill, consider the following measures:

  • Subresource Integrity (SRI): Use SRI to ensure that the files you fetch (such as scripts or stylesheets) are delivered without unexpected modifications. This helps protect your site against malicious changes to external resources.
  • Self-Hosting Critical Resources: When possible, self-host critical JavaScript libraries and resources instead of relying on third-party CDNs. This reduces the risk of supply chain attacks.
  • Monitor Third-Party Services: Conduct regular security audits of your website’s third-party dependencies. Verify that all external scripts and resources are trustworthy and up to date.
  • Automatic URL Rewriting: Implement automatic URL rewriting features available from providers like Cloudflare, which can redirect requests from compromised domains to secure mirrors.
  • Content Security Policy (CSP): Deploy CSP headers to restrict the sources from which your site can load resources. This can help mitigate the impact of malicious scripts.

Indicators of Compromise (IoCs) Related to Polyfill Supply Chain Attack

  • https://kuurza[.]com/redirect?from=bitget
  • https://www.googie-anaiytics[.]com/html/checkcachehw.js
  • https://www.googie-anaiytics[.]com/ga.js
  • https://cdn.bootcss[.]com/highlight.js/9.7.0/highlight.min.js
  • https://union.macoms[.]la/jquery.min-4.0.2.js
  • https://newcrbpc[.]com/redirect?from=bscbc
  • bootcdn[.]net
  • staticfile[.]net
  • staticfile[.]org
  • unionadjs[.]com
  • xhsbpza[.]com

Indicators of Compromise (IoCs) Related to Compromise of WordPress Plugins

Attacker-controlled server’s IP address:


Known usernames of attacker-generated administrative user accounts:

  • Options
  • PluginAuth

Attackers often exploit third-party vendors, tools, and services in supply chain attacks to distribute malware. To prevent these threats and enhance your security posture, SOCRadar offers the Supply Chain Intelligence module.

This module alerts you on companies that have been targets of cyberattacks, provides actionable intelligence, and ensures you stay protected from weaknesses in your supply chain.

SOCRadar’s Supply Chain Intelligence module, Analytics Dashboard

SOCRadar’s Supply Chain Intelligence module, Analytics Dashboard

Monitor and Strengthen Your Supply Chain Security with SOCRadar

SOCRadar provides the much-needed Cyber Threat Intelligence (CTI) to empower your organization against cyber incidents, providing proactive insights into potential threats.

CTI solutions like SOCRadar enhance supply chain visibility by mapping the attack surface, offering early vulnerability detection, and assisting in implementing effective cybersecurity measures.

SOCRadar’s Supply Chain Intelligence module provides you with real-time cybersecurity updates, reports, and alarms, ensuring you remain informed about emerging threats targeting your organization’s supply chain.

SOCRadar’s Supply Chain Intelligence module, 3rd Party Companies

SOCRadar’s Supply Chain Intelligence module, 3rd Party Companies

Additionally, the platform provides insights into global trends for country and sector-specific attacks, enabling you to forecast and defend against supply chain threats.

SOCRadar’s Supply Chain Intelligence module, Global Trends

SOCRadar’s Supply Chain Intelligence module, Global Trends