A large-scale supply chain attack leveraged multiple CDNs (Polyfill.io, BootCDN, Bootcss, Staticfile) to affect vast numbers of websites, traced to a single operator after leaked Cloudflare keys were exposed on public GitHub. The incident underscores how exposed credentials and shared infrastructure can enable widespread compromise.
#PolyfillIO #BootCDN
#PolyfillIO #BootCDN
Keypoints
- The attack was a large-scale supply chain operation conducted via multiple CDNs, impacting tens of millions of websites.
- Researchers linked all four CDN services (Polyfill.io, BootCDN, Bootcss, Staticfile) to a single operator after discovering leaked Cloudflare keys.
- The exposed credentials included a Cloudflare API token, Cloudflare Zone ID, and Algolia API keys found in a public GitHub repository (.env file).
- DNS records for Polyfill.io were switched to Cloudflare, suggesting compromise of infrastructure and domain management across multiple domains.
- Obfuscated or injected code (e.g., check_tiaozhuan) was observed, with discussions on mobile-targeted redirects reported on forums since mid-2023.
- Defensive guidance points to monitoring SIEM for CDN-domain connections, replacing compromised services with safer alternatives (Cloudflare, Fastly), and using tools like Polykill.io to identify affected sites.
MITRE Techniques
- [T1195] Supply Chain Compromise – The attacker conducted a large-scale supply chain attack via multiple CDNs to affect countless sites. Quote: “…large scale supply chain attack conducted via multiple CDNs…”
- [T1583.001] Acquire Infrastructure – Domains – DNS records for Polyfill.io were mysteriously switched to Cloudflare’s, indicating manipulation of infrastructure/domains. Quote: “…DNS records for Polyfill.io were mysteriously switched to Cloudflare’s…”
- [T1552.001] Credentials in Files – The repo exposed secrets including a Cloudflare API token, Zone ID, and Algolia keys after an .env file was uploaded publicly. Quote: “The secrets leaked in the repository enabled researchers… to attribute the supply chain attack” and “accidentally uploaded an .env file to the public repository.”
- [T1027] Obfuscated/Compressed Files – The injected code included the check_tiaozhuan function used to redirect visitors, with obfuscated delivery observed on BootCSS. Quote: “The ‘check_tiaozhuan’ function, according to the developers, would survey if a visitor was running a mobile device and ‘redirect the user’s browser to another page’.”
Indicators of Compromise
- [Domain] Attack domains – cdn.bootcdn.net, cdn.bootcss.com, cdn.staticfile.net, cdn.staticfile.org, bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com, polyfill.io
- [Credential] Cloudflare API token, Cloudflare Zone ID, Algolia API keys, production MySQL credentials (and other keys) exposed in public repo
- [URL] Related references – https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/
- [File] Exposed configuration file – .env containing Cloudflare API token and Zone ID; production MySQL credentials shown in earlier version