Polyfill.io Supply-Chain Attack (2024).

A June 2024 supply-chain compromise in which the polyfill.io CDN, after being acquired by a Chinese-linked company, began serving malicious JavaScript to an estimated 100,000+ sites embedding its widely-used `<script>` tag. It belongs to the Attacks & Threats category of cybersecurity.

A June 2024 supply-chain compromise in which the polyfill.io CDN, after being acquired by a Chinese-linked company, began serving malicious JavaScript to an estimated 100,000+ sites embedding its widely-used `<script>` tag.

The Polyfill.io supply-chain attack is a 2024 incident centered on `cdn.polyfill.io`, a long-running free service that returned per-browser JavaScript polyfills. In February 2024 the original maintainer (Andrew Betts) publicly warned that the polyfill.io domain and GitHub account had been transferred to a new operator, 'Funnull', without his involvement, and recommended sites stop using it. The warning was largely ignored. In June 2024, Sansec and other researchers confirmed that the CDN had begun injecting malicious code targeting mobile users — redirecting them to scam sites and credential-harvest pages — and that the same domain was implicated in similar incidents against `bootcss.com`, `bootcdn.net`, and `staticfile.org`. Estimates of affected sites range from 100,000 to over 380,000, including high-profile names. Cloudflare and Google rolled out automatic mitigations (URL rewrites to safe mirrors, ad-blocking), Namecheap suspended the domain, and the incident is widely cited as a case study in the dangers of free third-party CDNs and untracked ownership changes.

Defences for Polyfill.io Supply-Chain Attack (2024) typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Polyfill.io attack, Funnull CDN attack.