Polyfill supply chain attack hits 100K+ sites

June 27, 2024, 12:56 p.m.

Description

A malicious Chinese entity acquired control over the popular Polyfill JS open-source project and has been injecting malware into over 100,000 websites that embed the polyfill.io content delivery network. The malware redirects mobile users to a fraudulent sports betting site hosted on a domain impersonating Google Analytics. The attack employs various evasion techniques and targets specific devices and time windows. While trustworthy alternatives are available, it's recommended to remove any references to polyfill.io from your codebase as the library is no longer necessary for modern browsers.

External References

https://otx.alienvault.com/pulse/667d5bd4a98d33d3486fff19
https://sansec.io/research/polyfill-supply-chain-attack
Tags
malvertising
supply chain
2024-06-27
polyfill.js
redirection

Date

  • Created: June 27, 2024, 12:32 p.m.
  • Published: June 27, 2024, 12:32 p.m.
  • Modified: June 27, 2024, 12:56 p.m.

Indicators

  • www.ys752.com
  • www.dxtv1.com
  • https://www.googie-anaiytics.com/html/checkcachehw.js
  • https://www.googie-anaiytics.com/ga.js
  • https://kuurza.com/redirect?from=bitget
  • kuurza.com
  • ecomscan.com
Download all indicators here!

Attack Patterns

  • polyfill.js