Polyfill JS Library Injected Malware Into 100K+ Websites

Polyfill.js is a JavaScript library that gives modern functionality on older browsers without native support for some web features.

Polyfills ensure compatibility across a wide range of browsers, enabling developers to use modern JavaScript and web APIs by implementing what was missing.

In February, a Chinese firm purchased the “cdn.polyfill.io” site and the GitHub account for the popular polyfill.js library, which is used by more than 100K sites, including JSTOR, Intuit, and the World Economic Forum.

Since then, researchers at Sansec discovered that there have been complaints about the domain injecting malware targeted at mobile devices to GitHub pages that were quickly deleted.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Polyfill JS Library Injected

Sansec decoded one variant that redirects mobile users to a gambling website via a simulated Google Analytics domain characterized by anti-reverse engineering protections and selective activation.

The original creator now prevents using Polyfill, while Fastly and Cloudflare offer safe alternatives.

This event depicts a supply chain attack that underscores the importance of monitoring user-loaded third-party code.

Cybersecurity researchers assigned descriptive names to various code components during their investigation to improve understanding. 

However, they noted that one particular function, “tiaozhuan,” was not their creation but rather an original element. 

This Chinese term, interpreted as “jump” in English, was embedded by the threat actors, potentially providing a fine clue about the malware’s origin or its creators’ background.

IoCs

• https://kuurza[.]com/redirect?from=bitget
• https://www.googie-anaiytics[.]com/html/checkcachehw.js
• https://www.googie-anaiytics[.]com/ga.js

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free