Polyfill.io Supply-Chain Attack (2024).

A June 2024 supply-chain compromise in which the polyfill.io CDN, after being acquired by a Chinese-linked company, began serving malicious JavaScript to an estimated 100,000+ sites embedding its widely-used `<script>` tag. Cette notion relève de la catégorie Attaques et menaces en cybersécurité.

A June 2024 supply-chain compromise in which the polyfill.io CDN, after being acquired by a Chinese-linked company, began serving malicious JavaScript to an estimated 100,000+ sites embedding its widely-used `<script>` tag.

The Polyfill.io supply-chain attack is a 2024 incident centered on `cdn.polyfill.io`, a long-running free service that returned per-browser JavaScript polyfills. In February 2024 the original maintainer (Andrew Betts) publicly warned that the polyfill.io domain and GitHub account had been transferred to a new operator, 'Funnull', without his involvement, and recommended sites stop using it. The warning was largely ignored. In June 2024, Sansec and other researchers confirmed that the CDN had begun injecting malicious code targeting mobile users — redirecting them to scam sites and credential-harvest pages — and that the same domain was implicated in similar incidents against `bootcss.com`, `bootcdn.net`, and `staticfile.org`. Estimates of affected sites range from 100,000 to over 380,000, including high-profile names. Cloudflare and Google rolled out automatic mitigations (URL rewrites to safe mirrors, ad-blocking), Namecheap suspended the domain, and the incident is widely cited as a case study in the dangers of free third-party CDNs and untracked ownership changes.

Les défenses contre Polyfill.io Supply-Chain Attack (2024) combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : Polyfill.io attack, Funnull CDN attack.