Sunday, July 14, 2024

Over 380,000+ Hosts Embedding Polyfill JS script Linking to Malicious Domain

Over 380,000 web hosts have been found embedding a compromised JavaScript script, linking to a malicious domain.

This supply chain attack has sent shockwaves through the web development community, highlighting the vulnerabilities inherent in widely used open-source libraries.

Polyfill.js, a popular tool designed to provide modern functionalities for older web browsers, was the target of this sophisticated attack.

In February 2024, the domain and GitHub account for were acquired by Funnull, a Chinese CDN company.

This acquisition raised immediate concerns about the service’s legitimacy.

These concerns were validated when malware injected through began redirecting users to malicious sites.

High-profile platforms such as JSTOR, Intuit, and the World Economic Forum were among the affected, showcasing the widespread impact of this breach.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

The Scale of the Attack

According to Censys, a cybersecurity firm, 384,773 hosts were found to include references to “https://cdn.polyfill[.]io” or “https://cdn.polyfill[.]com” in their HTTP responses.

A significant concentration of these hosts, approximately 237,700, is located within the Hetzner network in Germany.

This is not surprising, given Hetzner’s popularity among web developers.

Further analysis revealed that major companies such as Warner Bros, Hulu, Mercedes-Benz, and Pearson had large numbers of hosts referencing the malicious Polyfill endpoint.

Interestingly, the most common hostname associated with these hosts was, indicating widespread usage among Amazon S3 static website hosting users.

The presence of government domains like “” among the affected hosts underscores the attack’s reach across various sectors.

Censys observed 182 affected hosts displaying a “.gov” domain.

Industry Response and Mitigation Efforts

The attack has prompted swift responses from multiple companies.

Cloudflare and Fastly have offered alternative, secure endpoints for users to mitigate the threat while preventing websites from breaking.

Google has blocked ads for e-commerce sites using, and the website blocker uBlock Origin has added the domain to its filter list.

Andrew Betts, the original creator of, has urged website owners to immediately remove the library, emphasizing that it is no longer necessary for modern browsers.

Namecheap, the domain registrar for, took down the malicious domain, mitigating the immediate threat.

However, the incident is a stark reminder of the growing threat of supply chain attacks on open-source projects.

The interconnected dependencies within the open-source ecosystem mean a single compromised package can have far-reaching security implications.

Investigating the Malicious Domain

Further investigation into the malicious Polyfill[.]io domain revealed additional concerning details.

Historical DNS records linked the domain to several other suspicious domains, including,, and

LEGEND DYNASTY PTE hosted these domains. LTD., a company based in Singapore.

Interestingly, the maintainers of the Polyfill GitHub repository had leaked their Cloudflare API secrets within the repo.

This leak revealed four additional active domains linked to the same account: bootcdn[.]net, bootcss[.]com, staticfile[.]net, and staticfile[.]org.

One of these domains, bootcss[.]com, has been observed engaging in similar malicious activities since June 2023.

Analyzing the malicious Polyfill JavaScript code revealed a function named check_tiaozhuan(), which checks if the user uses a mobile device.

If so, it sets a value based on various conditions. Then it calls another function that loads a JavaScript file from a specified URL, potentially redirecting the user’s browser to another page.

This tactic closely mirrors the methods used in the attack.

The supply chain attack is a stark reminder of the vulnerabilities inherent in the web development ecosystem.

As developers rely on a diverse technology stack of open-source packages, the security of these dependencies becomes crucial.

The incident underscores the need for vigilance and robust security measures to protect against such sophisticated attacks.

As the web development community grapples with the fallout from this breach, the lessons learned will clearly shape future approaches to securing open-source projects.

The industry must continue collaborating and innovating to safeguard the digital infrastructure that underpins our modern world.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles