The Polyfill supply chain attack compromised popular open-source polyfill projects by injecting malicious JavaScript, primarily impacting mobile users redirected to scam sites. Researchers mapped IoCs across multiple domains and IPs, revealing a broader attack infrastructure and registrant patterns, underscoring the need for ongoing validation and monitoring. #Polyfill #SupplyChainAttack #GoDaddy #DNS #MobileDevices
Keypoints
- Threat actors used back channels—suppliers, vendors, or service providers—to target organizations.
- The Polyfill supply chain attack involved injecting malicious scripts into open-source polyfill projects.
- Compromised polyfills primarily affected mobile device users, redirecting them to scam sites.
- Researchers identified indicators of compromise (IoCs): six domains, two malicious IP addresses, 104 IP-connected domains, and 94 string-connected domains.
- WHOIS analysis showed most domains registered via GoDaddy, with registrars including GoDaddy, DNSPod, and Namecheap; domains ranged from newly registered to aged (2012–2024).
- Historical WHOIS records revealed email addresses associated with the domains; reverse WHOIS suggested one public email shared across many domains, hinting at domaining activity.
- The report emphasizes the need for further investigations to validate threat information and continue threat intelligence efforts.
MITRE Techniques
- [T1195] Supply Chain Compromise – Threat actors target third-party vendors or suppliers to gain access to their primary targets. ‘Threat actors target third-party vendors or suppliers to gain access to their primary targets.’
- [T1203] Malicious Code Injection – Injection of malicious scripts into legitimate software projects to compromise users. ‘Injection of malicious scripts into legitimate software projects to compromise users.’
- [T1071] Redirection – Redirecting users to malicious sites through compromised code. ‘Redirecting users to malicious sites through compromised code.’
Indicators of Compromise
- [Domain] IoCs – six domains identified as IoCs (six domains identified in the IoC list)
- [IP Address] IoCs – two malicious IP addresses associated with the attack infrastructure
- [Domain] IoCs – 104 IP-connected domains linked to the infrastructure
- [Domain] IoCs – 94 string-connected domains linked to the infrastructure
- [Email] IoCs – historical WHOIS records contained email addresses; two public emails appeared in current records
Read more: https://circleid.com/posts/tracking-the-dns-footprint-of-the-polyfill-supply-chain-attackers