Polyfill.io JavaScript supply chain attack impacts over 100K sites

[spmedia]

Reopening this since Polyfill is just closing issues in an attempt to cover this up.

https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/

https://sansec.io/research/polyfill-supply-chain-attack

https://www.theregister.com/2024/06/25/polyfillio_china_crisis/

https://www.scmagazine.com/brief/over-100k-sites-hit-by-polyfill-io-supply-chain-attack

[lovetingyuan]

fuck this, github should ban this repo

[kingcaubalejo]

what's the status of this?

[Daniel15]

Previous issue about this: #2890

[ephraimduncan]

Cloudflare is now hosting an alternative service to replace polyfill(.)io

https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/

https://cdnjs.cloudflare.com/polyfill/

[xtuc]

Cloudflare had a polyfill[.]io mirror for a while: https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk.

What's new is that we are automatically rewriting the insecure polyfill[.]io scripts to our mirror: https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/.

[SkyfallWasTaken]

@lovetingyuan the repo is now flagged

[alvin12]

what's the status of this?

up!

[krystian3w]

What's new is that we are automatically rewriting the insecure polyfill[.]io scripts to our mirror

How? Are they modifying my files and databases?

[xtuc]

@krystian3w if your website is using Cloudflare's cdn and you enabled the polyfill rewriting feature, it will automatically rewrite your scripts tag to point to Cloudflare's fork.

[spmedia]

https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/