Polyfill.io Supply-Chain Attack (2024).

A June 2024 supply-chain compromise in which the polyfill.io CDN, after being acquired by a Chinese-linked company, began serving malicious JavaScript to an estimated 100,000+ sites embedding its widely-used `<script>` tag. サイバーセキュリティの 攻撃と脅威 カテゴリに属します。

A June 2024 supply-chain compromise in which the polyfill.io CDN, after being acquired by a Chinese-linked company, began serving malicious JavaScript to an estimated 100,000+ sites embedding its widely-used `<script>` tag.

The Polyfill.io supply-chain attack is a 2024 incident centered on `cdn.polyfill.io`, a long-running free service that returned per-browser JavaScript polyfills. In February 2024 the original maintainer (Andrew Betts) publicly warned that the polyfill.io domain and GitHub account had been transferred to a new operator, 'Funnull', without his involvement, and recommended sites stop using it. The warning was largely ignored. In June 2024, Sansec and other researchers confirmed that the CDN had begun injecting malicious code targeting mobile users — redirecting them to scam sites and credential-harvest pages — and that the same domain was implicated in similar incidents against `bootcss.com`, `bootcdn.net`, and `staticfile.org`. Estimates of affected sites range from 100,000 to over 380,000, including high-profile names. Cloudflare and Google rolled out automatic mitigations (URL rewrites to safe mirrors, ad-blocking), Namecheap suspended the domain, and the incident is widely cited as a case study in the dangers of free third-party CDNs and untracked ownership changes.

Polyfill.io Supply-Chain Attack (2024) に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: Polyfill.io attack, Funnull CDN attack。