The availability chain assault concentrating on widely-used Polyfill[.]io JavaScript library is wider in scope than beforehand thought, with new findings from Censys displaying that over 380,000 hosts are embedding a polyfill script linking to the malicious area as of July 2, 2024.
This contains references to “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com” of their HTTP responses, the assault floor administration agency stated.
“Roughly 237,700, are situated throughout the Hetzner community (AS24940), primarily in Germany,” it famous. “This isn’t shocking – Hetzner is a well-liked internet hosting service, and lots of web site builders leverage it.”
Additional evaluation of the affected hosts has revealed domains tied to outstanding firms like WarnerBros, Hulu, Mercedes-Benz, and Pearson that reference the malicious endpoint in query.
Particulars of the assault emerged in late June 2024 when Sansec alerted that code hosted on the Polyfill area had been modified to redirect customers to adult- and gambling-themed web sites. The code modifications had been made such that the redirections solely befell at sure instances of the day and solely in opposition to guests who met sure standards.
The nefarious habits is claimed to have been launched after the area and its related GitHub repository had been bought to a Chinese language firm named Funnull in February 2024.
The event has since prompted area registrar Namecheap to droop the area, content material supply networks corresponding to Cloudflare to mechanically substitute Polyfill hyperlinks with domains resulting in various secure mirror websites, and Google to dam advertisements for websites embedding the area.
Whereas the operators tried to relaunch the service underneath a distinct area named polyfill[.]com, it was additionally taken down by Namecheap as of June 28, 2024. Of the two different domains registered by them for the reason that begin of July – polyfill[.]web site and polyfillcache[.]com –the latter stays up and working.
On high of that, a extra in depth community of probably associated domains, together with bootcdn[.]internet, bootcss[.]com, staticfile[.]internet, staticfile[.]org, unionadjs[.]com, xhsbpza[.]com, union.macoms[.]la, newcrbpc[.]com, has been uncovered as tied to the maintainers of Polyfill, indicating that the incident could be a part of a broader malicious marketing campaign.

“One in all these domains, bootcss[.]com, has been noticed participating in malicious actions which might be similar to the polyfill[.]io assault, with proof courting again to June 2023,” Censys famous, including it found 1.6 million public-facing hosts that hyperlink to those suspicious domains.
“It would not be solely unreasonable to contemplate the chance that the identical malicious actor liable for the polyfill.io assault may exploit these different domains for related actions sooner or later.”
The event comes as WordPress safety firm Patchstack warned of cascading dangers posed by the Polyfill provide chain assault on websites working the content material administration system (CMS) via dozens of respectable plugins that hyperlink to the rogue area.