Threat Research

The Polyfill.io software supply chain attack: Lessons learned

Reversinglabs

Sansec disclosed a major supply chain attack exploiting the Polyfill.io CDN to push malicious code to websites and their visitors. The incident highlights the risk of third-party services and typosquatted domains, with remediation resources like Polykill.io helping identify affected sites. #PolyfillIO #SupplyChainAttack

Keypoints

  • Sansec disclosed a major software supply chain attack using the Polyfill.io CDN to push malicious code to websites and their visitors.
  • Polyfill.io was acquired by Funnull; after the purchase, the CDN script was modified to introduce malicious functions, forcing maintainers to remove cdn.polyfill.io from their scripts.
  • The attack can affect any site embedding Polyfill.io and can deliver malware to mobile devices via a drive-by mechanism.
  • IoCs include typosquatted URLs and a domain masquerading as Google Analytics as indicators of compromise.
  • The malware includes protections against reverse engineering and will not execute if an admin user is detected.
  • Remediation steps include removing calls to cdn.polyfill.io and using resources such as Polykill.io to identify and replace impacted sites, along with broader lessons on third-party trust.

MITRE Techniques

  • [T1195] Supply Chain Compromise – The Polyfill.io CDN was compromised and pushed out malicious code to countless websites. “The CDN, used by a countless number of websites, was pushing out malicious code and redirecting a significant number of Internet users to spam sites.”
  • [T1189] Drive-by Compromise – Malware delivered to users via websites embedding the CDN. “Polyfill.io domain injects malware on mobile devices via any site that embeds the CDN.”
  • [T1583.001] Acquire Infrastructure – Typosquatted URLs and a Google Analytics masquerade domain used as IoCs. “Indicators of Compromise (IoCs) for the attack also include typosquatted URLs, including one masquerading as Google Analytics.”
  • [T1036] Masquerading – Typosquatted domain masquerading as Google Analytics used as an indicator. “Indicators of Compromise (IoCs) for the attack also include typosquatted URLs, including one masquerading as Google Analytics.”
  • [T1059.007] JavaScript – Malicious script executed in the browser via CDN; “After Funnull acquired the domain, the CDN’s script was modified to introduce malicious functions.”
  • [T1497.001] Virtualization/Sandbox Evasion – Anti-analysis checks (admin user detection) prevent execution. “the code has specific protections against reverse engineering, and the malicious functions won’t be executed to the impacted device if an admin user is detected.”

Indicators of Compromise

  • [Domain] IoCs – cdn.polyfill.io, pollykill.io, and a typosquatted Google Analytics masquerade domain; used as indicators of compromise for this attack

Read more: https://www.reversinglabs.com/blog/the-pollyfillio-supply-chain-attack-lessons-learned