Polyfill.io Supply-Chain Attack (2024).

A June 2024 supply-chain compromise in which the polyfill.io CDN, after being acquired by a Chinese-linked company, began serving malicious JavaScript to an estimated 100,000+ sites embedding its widely-used `<script>` tag. 它属于网络安全的 攻击与威胁 分类。

A June 2024 supply-chain compromise in which the polyfill.io CDN, after being acquired by a Chinese-linked company, began serving malicious JavaScript to an estimated 100,000+ sites embedding its widely-used `<script>` tag.

The Polyfill.io supply-chain attack is a 2024 incident centered on `cdn.polyfill.io`, a long-running free service that returned per-browser JavaScript polyfills. In February 2024 the original maintainer (Andrew Betts) publicly warned that the polyfill.io domain and GitHub account had been transferred to a new operator, 'Funnull', without his involvement, and recommended sites stop using it. The warning was largely ignored. In June 2024, Sansec and other researchers confirmed that the CDN had begun injecting malicious code targeting mobile users — redirecting them to scam sites and credential-harvest pages — and that the same domain was implicated in similar incidents against `bootcss.com`, `bootcdn.net`, and `staticfile.org`. Estimates of affected sites range from 100,000 to over 380,000, including high-profile names. Cloudflare and Google rolled out automatic mitigations (URL rewrites to safe mirrors, ad-blocking), Namecheap suspended the domain, and the incident is widely cited as a case study in the dangers of free third-party CDNs and untracked ownership changes.

针对 Polyfill.io Supply-Chain Attack (2024) 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: Polyfill.io attack, Funnull CDN attack。