A wide reaching supply chain attack leveraging a number of content delivery networks (CDNs) affecting nearly 500,000 websites, and potentially millions more, has been traced to an individual operator.
The campaign was initially only linked with one CDN, polyfill.io, a popular open source JavaScript library used to support modern functions in legacy web browsers, but new evidence shows another three CDNs implicated in the attack.
These additional CDNs - BootCDN, Bootcss, and Staticfile - were also associated with the campaign, combining to grow the number of potentially vulnerable websites to the tens of millions.
Concerns were raised about the safety of the Polyfill service after its domain was acquired by Chinese CDN firm Funnull in February 2024. Among those to flag the acquisition as worrying was Andrew Betts, creator of Polyfill, who warned users to remove the service immediately .
Service management giant Cloudflare announced it had made a clone of the Polyfill service available on its own CDN, and urged users to switch as soon as possible - outlining why security specialists were so concerned by the acquisition.
“The concerns are that any website embedding a link to the original polyfill.io domain, will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack,” Cloudflare’s Sven Sauleau and Michael Tremante explained.
“Such an attack would occur if the underlying third party is compromised or alters the code being served to end users in nefarious ways, causing, by consequence, all websites using the tool to be compromised.”
Accidentally uploaded .env file helps researches track attack to one source
Concerns materialized on 25 June when threat intelligence network Sansec claimed the new Chinese owner of the Polyfill project was injecting malicious code into over 100,000 websites.
The blog also reported Google had already started blocking adverts for ecommerce sites using polyfill.io.
Security research collective MalwareHunterTeam noted that there were a number of additional domains included in Google’s warning to advertisers, alerting them to BootCDN, Bootcss, and Staticfile also being involved in the attack.
Another X user, Ze-Zheng Wu, a developer based in Hangzhou, China, discovered the maintainer of a repository containing much of the backend source code for polyfill.io’s website had accidentally uploaded a file exposing some of their secrets to the internet.
The .env file contained a Cloudflare API key which user mdmck10 found was still active and showed domains for BootCDN, Bootcss, Staticfile, and Polyfill were all active and managed under the same Cloudflare user account.
Nearly 500,000 hosts still referencing polyfill.io endpoint after domain taken offline
In an update published on 26 June, Sansec warned that its infrastructure and one news outlet that had covered its research were targeted by ‘similar’ DDoS attacks.
On 27 June, a further update added that Cloudflare had implemented an automatic JavaScript rewriting service that would rewrite any link to polyfill.io found in a website proxied by Cloudflare to a link to its own open-source CDN: cdnjs.
In addition, web hosting company Namecheap announced it had put the domain on hold, but Sansec recommended admins remove any polyfill.io references in their code.
Internet intelligence specialists Censys, posted on X on 28 June that despite the domain being down, it had identified nearly 500,000 hosts still referencing the polyfill.io endpoint.
Among these sites were major entities in the streaming, auto, and entertainment sectors, according to Censys, as well as around 260 hosts linked to government domains.
With the additional four domains associated with BootCDN, Bootcss, and Staticfile, Census said it observed over 1.5 million hosts referencing one of the “suspicious endpoints”.
