Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites

The site is supplying malicious code that delivers dynamically generated payloads and can lead to other attacks, after a Chinese organization bought it earlier this year.

A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for a
Web supply chain attack
that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can potentially lead to data theft, clickjacking, or other attacks. The malicious activity follows the sale of the domain polyfill[.]io to a Chinese organization earlier this year.
Security researchers are warning that the cdn[.]polyfill[.]io domain has been compromised to serve malicious code in scripts to end users in a widespread attack. The site allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the users browser.
Researchers from security monitoring firm c/side sounded the alarm about the attack in an
advisory by founder Simon Wijckmans
warning website owners to

check your code for any use of the polyfill[.]io domain and remove it from your applications.
This attack places an estimated +100k websites at immediate risk, he wrote. When a once-safe domain is embedded in thousands of websites and concealed like
JavaScript threats
are, it becomes a tempting path for malicious actors.
Specifically, researchers discovered
malicious, obfuscated code
that dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution being injected into devices via websites using cdn[.]polyfill[.]io, Wijckmans wrote.
In some instances, users receive tampered JavaScript files, which include a fake Google Analytics link, he wrote. This fake link redirects users to various sports betting and pornographic websites, seemingly based on their region.
Given that the malicious code is JavaScript, it also could at any moment introduce new attacks like formjacking, clickjacking, and broader data theft, Wijkmans noted.
Polyfill users were already clued in back in February of the potential for malicious activity and were advised to stop using the polyfill[.]io domain after it was purchased by

Funnull, a Chinese company. Following the sale, the developer of the open source Polyfill project, Andrew Betts, urged users
in a post on X
to remove references to the content delivery network (CDN), in part because he never owned the site.
I created the Polyfill service project but I have never owned the domain name and I have had no influence over its sale, he wrote.
A site called Pollykill
was even created on Feb. 27 to bring awareness to a major
JavaScript supply chain vulnerability
, since Polyfill was sold and all Polyfill traffic was pointed to the Baishan Cloud CDN.
Pollykill also provides users with alternatives to using the site to deliver JavaScript to their websites, warning users of the many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application.
They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the Web browser, according to the site.
Supply chain attacks that compromise website scripts and other code thats used widely across applications or Web properties are serious business, which means anyone using Polyfill needs to take action now, Wijkmans said.
Third-party resources are in a very powerful position and thus a high value target for bad actors, he wrote, adding that
CDNs hosting third-party scripts
are especially subject to attack.
However, one thing thats important to note is that the Polyfill service itself is still solid, Wijkmans said. You can host your own version in a safe and controlled environment without issue.
As the problem lies in the domain cdn[.]polyfill[.]io, it should immediately be removed from any site using it. Moreover, threat feeds currenty dont flag the domain, so administrators should not rely on that, Wijkmans added.
The Polykill website also advises developers to use a code search tool or integrated development environment (IDE) to search for instances of the malicious domain in source code across all projects within an organization. It cites resources by the
developer community Fastly Connect
that also can help them secure websites that use Polyfill; these include polyfill-fastly[.]net and polyfill-fastly[.]io, which are free drop-in replacements for polyfill[.]io in a websites code.
Fastly’s fork of the
open source code 223
also can be used to self-host the service to maintain full control over the code delivered to users,
according to Fastly
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites