Executive Summary:
- On June 25, 2024, the Sansec forensics team published a report revealing a supply chain attack targeting the widely-used Polyfill.io JavaScript library. The attack originated in February 2024 when Funnull, a Chinese company, acquired the previously legitimate Polyfill.io domain and GitHub account. Shortly thereafter, the service began redirecting users to malicious sites and deploying sophisticated malware with advanced evasion techniques.
- On June 27, 2024, Namecheap suspended the malicious polyfill.io domain, mitigating the immediate threat for now. However, Censys still detects 384,773 hosts embedding a polyfill JS script linking to the malicious domain as of July 2,2024, primarily located in Germany.
- These hosts include websites associated with major platforms like Hulu, Mercedes-Benz, and WarnerBros. Security experts strongly advise website owners to remove any references to polyfill.io and its associated domains from their codebase as a precautionary measure. Cloudflare and Fastly have offered alternative, secure endpoints for polyfill services as a workaround.
- Further investigation has uncovered a more extensive network of potentially compromised domains. Researchers identified four additional active domains linked to the same account that owned the polyfill.io domain. Censys detected 1,637,160 hosts referencing one or more of these endpoints. At least one of these domains has been observed engaging in malicious activities dating back to June 2023, but the nature of the other associated domains is currently unknown.
- This incident highlights the growing threat of supply chain attacks on open-source projects
- Detection with Censys
- Censys Search query for exposed hosts referencing the malicious polyfill[.]io domain
- Censys ASM query for exposed hosts referencing the malicious polyfill[.]io domain
- Censys Search query for exposed hosts referencing one of the additional potentially associated domains
- Censys ASM query for exposed hosts referencing one of the additional potentially associated domains
Background:
Over the past week, the web development community has been rocked by a supply chain attack targeting the widely-used Polyfill.io JavaScript library. Polyfill.js is designed to provide support for more modern tools and functionality on older web browsers that don’t natively support them, in order to maintain cross-compatibility.
In February 2024, the Polyfill.io domain and GitHub account were acquired by Funnull, a Chinese CDN company, raising immediate concerns about the service’s legitimacy. Subsequently, malware injected through cdn.polyfill.io began redirecting users to malicious sites, affecting reports of over 100,000 websites, including high-profile platforms such as JSTOR, Intuit, and the World Economic Forum. This sophisticated malware employs various evasion techniques, making it particularly challenging to detect and combat.
Multiple companies have responded to this situation. Cloudflare and Fastly have offered alternative, secure endpoints for users. Google has blocked ads for e-commerce sites using Polyfill.io. The website blocker uBlock Origin added the domain to its filter list. Andrew Betts, the original creator of Polyfill.io, has urged website owners to immediately remove the library, emphasizing that it’s no longer necessary for modern browsers.
The most important recent development is that as of June 27, Namecheap, the domain registrar for polyfill.io, took down the malicious domain – which mitigates the immediate threat.
This story is a reminder of the growing threat of supply chain attacks on open-source projects, especially in the web development ecosystem where applications rely on a diverse technology stack of open source packages for functionality. These dependencies can get tenuous. A memorable example is from 2016, when the removal of a single open-source JavaScript package from npm by a developer caused widespread disruption to websites worldwide, prompting npm to reverse the action within just 2 hours. Interconnected dependencies within the open-source ecosystem have interconnected security implications.
(Relevant xkcd: https://www.explainxkcd.com/wiki/index.php/2347:_Dependency)
Censys Findings
Censys has identified a significant number of web hosts using the polyfill.io CDN. As of the latest data, 384,773 hosts were found to include references to “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com” in their HTTP responses.
A notable concentration of these hosts, approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany. This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it.
Further analysis of the affected hosts reveals domains tied to major companies such as Warner Bros (www.warnerbros.com), Hulu (www.hulu.com), Mercedes-Benz (shop.mercedes-benz.com), and Pearson (digital-library-qa.pearson.com, digital-library-stg.pearson.com) that have large numbers of hosts referencing the malicious polyfill endpoint. Interestingly, the most common hostname associated with hosts presenting the endpoint is ns-static-assets.s3.amazonaws.com, indicating widespread usage among users of Amazon’s S3 static website hosting.
The presence of domains like “www.feedthefuture.gov” in these top results also highlights the use of polyfill.io across various sectors, including government websites. In total, Censys observed 182 affected hosts displaying a “.gov” domain.
View the following report breaking down hostnames on sites using this endpoint.
While estimates of the scale of affected websites vary widely between sources (Sansec reported 100,000, while Cloudflare suggested “tens of millions”), it’s clear that this supply chain attack has had a widespread impact.
Cloudflare and Fastly have created alternative secure polyfill endpoints for users to mitigate the threat while preventing websites from breaking. Censys has observed 216,504 hosts referencing one of these alternative polyfill endpoints: “polyfill-fastly.io” or “cdnjs.cloudflare.com/polyfill”, an increase from the 80,312 we observed last Friday, June 28.
Investigating the Malicious Polyfill[.]io Domain
We searched historical DNS records for anything that resolved to cdn.polyfill.io. Besides cloudflare and fastly domains, the following three were of interest:
5f52353c.u.fn03.vip.
cdn.polyfill.io.bsclink.cn.
wildcard.polyfill.io.bsclink.cn.
Of these, we found 6 hosts presenting the third domain (wildcard.polyfill.io.bsclink.cn) that were still online as of July 2, 2024:
All are hosted in AS139057, LDPL-AS-AP LEGEND DYNASTY PTE. LTD.
LEGEND DYNASTY PTE. LTD. is a company based in Singapore. According to IPinfo its associated website is edgenext.com, belonging to EdgeNext, a cloud service provider that “specializes in APAC, China, MENA, and global cloud delivery.” (https://www.edgenext.com/). It’s as of yet unclear how this infrastructure is tied to Funnull, the Chinese CDN that owns the malicious polyfill domain.
Another thing to note here is that these hosts are uniformly distributed across different countries: 2 are in the Netherlands, 2 in Spain, and 2 in the U.S.
Other Potentially Associated Domains
Further investigation has uncovered a more extensive network of potentially related domains. A twitter user discovered that the maintainers of the polyfill GitHub repo leaked their CloudFlare API secrets within the repo.
It was thereafter discovered that the leaked Cloudflare API key is still active, and shows 4 additional active domains linked to the same account:
- bootcdn[.]net
- bootcss[.]com
- staticfile[.]net
- staticfile[.]org
One of these domains, bootcss[.]com, has been observed engaging in malicious activities that are very similar to the polyfill[.]io attack, with evidence dating back to June 2023.
Analyzing the malicious polyfill JavaScript code, we see a function named check_tiaozhuan() whose definition starts as such:
function check_tiaozhuan() {
var _isMobile = navigator.userAgent.match(
/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i
);
if (_isMobile) {
…
Searching for check_tiaozhuan() yields a post on the Chinese developer forum V2EX from June 20, 2023. The post warns of cdn.bootcss.com being hijacked to spread malware through the highlight.js JavaScript library.
The following interesting quotes were translated from this post using Google Translate:
- “The two main malicious domain names involved were both registered at the end of May”
- “This evil jQuery was introduced by highlight.js hosted on cdn.bootcss.com. When the request for highlight.js has a specific Referer and mobile UA, the server will return highlight.js with malicious code, otherwise it will return normal code, which is highly disguised. Moreover, there are specific conditions for whether malicious jQuery is introduced when this code is executed.”
This tactic seems to closely mirror the tactics used in this attack.
The following comment underneath this post references the check_tiaozhuan() function:
Translated: “The check_tiaozhuan() function appears to check if the user is using a mobile device by checking the navigator object. If they are using a mobile device, it sets the value of _0x34f873 based on various conditions and then calls the vfed_update(_0x5e3fa1) function with that value. The vfed_update(_0x5e3fa1) function loads a JavaScript file from the URL specified by _0x5e3fa1, which may redirect the user’s browser to another page.”
This description matches the implementation of the function we observed in the Polyfill[.]io script.
When we dug in Censys Search for any exposed hosts referencing one of the additional suspicious domains, we observed a total of 1,637,160 public-facing hosts combined linking to one of these.
So far, this domain (bootcss.com) is the only one showing any signs of potential malice. The nature of the other associated endpoints remains unknown, and we avoid speculation. However, it wouldn’t be entirely unreasonable to consider the possibility that the same malicious actor responsible for the polyfill.io attack might exploit these other domains for similar activities in the future.
References:
