The supply chain attack targeting the widely-used Polyfill[.]io JavaScript library has a broader impact than previously thought, as recent findings from Censys reveal that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024.
These hosts include references to “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com” in their HTTP responses, according to the attack surface management firm.
Of the affected hosts, approximately 237,700 are within the Hetzner network (AS24940) in Germany, including domains associated with well-known companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson that reference the malicious endpoint.
Details of the attack surfaced in late June 2024 when Sansec raised the alarm that code on the Polyfill domain was altered to redirect users to adult and gambling websites at specific times and based on certain criteria.
Following this revelation, domain registrar Namecheap suspended the domain, and content delivery networks like Cloudflare replaced Polyfill links with safer alternatives. Google also blocked ads for sites using the domain.
Despite attempts to relaunch the service under a different domain, such as polyfill[.]com, Namecheap took it down by June 28, 2024.
Additionally, a network of related domains tied to Polyfill maintainers has emerged, hinting at a wider malicious campaign. Censys found that bootcss[.]com, one of these domains, has engaged in similar malicious activities since June 2023.
The potential of the same malicious actor using these domains for future attacks is also a concern.
WordPress security company Patchstack warned of the risks posed by the Polyfill supply chain attack on sites running the CMS through legitimate plugins linking to the rogue domain.
