Polyfill code breach much bigger than previously thought, with nearly 400,000customers affected

A close-up of an interent search bar with 'http://ww' visible
(Image credit: Getty Images)

The Polyfill supply chain attack is possibly around three times bigger than previously thought, experts have warned.

Rather than the 100,000 sites previously thought to be hit, new findings from the Censys Research Team claims a week after Polyfill was observed serving malware, 384,773 sites are still linking to the service. 

“Since the domain was suspended, the supply-chain attack has been halted,” Aidan Holland, a member of the Censys Research Team, wrote in an email. “However, if the domain was to be un-suspended or transferred, it could resume its malicious behavior. My hope is that NameCheap properly locked down the domain and would prevent this from occurring.”

More than a million victims

Here is a little background: polyfill is a piece of JavaScript code that allows older browsers to run newer functions, which they don’t natively support. The polyfill[.]io website was a popular service provider for this solution, which seems to have been used by at least 380,000 different websites.

In February 2024, the site and the accompanying GitHub account were sold to a Chinese company called Funnul. A few months later, in late June, cybersecurity researchers from Sansec reported that the domain started redirecting visitors to adult and gambling websites, and was obviously doing it with malice, since the redirections were only performed at certain times of day, and to visitors that ticked all the right boxes. Funnul did not reply to anyone’s request for comment. 

When Sansec sounded the alarm, Cloudflare and Fastly set up their own versions of the Polyfill.io service, giving users a trusted alternative. "No website today requires any of the polyfills in the http://polyfill.io library," tweeted the original Polyfills service project developer. "Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth."

Google also chimed in, notifying affected advertisers about their landing pages now possibly redirecting visitors away from their intended destination, and towards possibly malicious websites. 

That being said, having hundreds of thousands of websites still linking to the malicious service is a major red flag. To make matters worse, among them seem to be a couple of high-profile players, such as Hulu; Mercedes-Benz, Warner Bros., and even a couple of websites belonging to the US government, ArsTechnica reported. 

And that’s not all. Funnul owns a number of other domains that perform malicious activity, similar to that on polyfill, and when combined, more than 1.6 million sites were linking to them. 

Via ArsTechnica

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.