JavaScript scripts referencing the recently suspended polyfill.io domain are present on over 380,000 internet-exposed hosts, attack surface management firm Censys reports.
Used to host polyfills, small JavaScript bits providing modern functionality in older browsers, polyfill.io was suspended last week, after it was caught redirecting the visitors of websites embedding polyfill.io code to betting and adult sites.
The security community linked the malicious behavior to the site’s owner, the Chinese content delivery network (CDN) company Funnull, which bought polyfill.io and the associated GitHub repository in February 2024.
The supply chain attack was estimated to have impacted just over 100,000 websites and triggered a prompt response from the industry, including warnings from Google, uBlock Origin blocking polyfill.io, and Namecheap suspending it.
Now, Censys says that the potential impact from the incident was much larger: as of July 2, there are still 384,773 hosts embedding a polyfill script referencing the malicious domain.
Most of these are in Germany, within the Hetzner network (AS24940), but domains tied to major platforms, including Hulu, Mercedes-Benz, Pearson, and Warner Bros, also have a large number of hosts linking to the malicious polyfill endpoint.
According to Censys, an analysis of the identified domains shows broad usage of polyfill.io across various sectors, including government websites. A total of 182 affected hosts were displaying a .gov domain.
“While estimates of the scale of affected websites vary widely between sources (Sansec reported 100,000, while Cloudflare suggested ‘tens of millions’), it’s clear that this supply chain attack has had a widespread impact,” Censys notes.
The good news is that significantly more websites are now using alternative secure polyfill endpoints, such as those provided by Fastly and Cloudflare: the number went from 80,312 on June 28 to 216,504 on July 2.
The bad news is that the polyfill incident might be part of a broader malicious campaign that started in June 2023 and which appears to involve four other domains that are likely controlled by the same threat actor, namely bootcdn[.]net, bootcss[.]com, staticfile[.]net, and staticfile[.]org.
“One of these domains, bootcss[.]com, has been observed engaging in malicious activities that are very similar to the polyfill[.]io attack, with evidence dating back to June 2023,” Censys says.
The cybersecurity firm discovered a post on a Chinese developer forum that warned on June 20, 2023, of a malicious JavaScript file hosted on cdn.bootcss.com that, the same as polyfill, redirected users based on their geolocation.
Censys discovered that there are 1.6 million public-facing hosts that link to these suspicious domains, but notes that bootcss appears to be the only one showing signs of malicious activity.
“It wouldn’t be entirely unreasonable to consider the possibility that the same malicious actor responsible for the polyfill.io attack might exploit these other domains for similar activities in the future,” Censys concludes.
Related: Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks
Related: Several Plugins Compromised in WordPress Supply Chain Attack
Related: Watch Now: Supply Chain & Third-Party Risk Summit 2024
