About 100,000 sites have potentially been compromised in a supply chain attack following an alleged Chinese firm’s takeover of a popular open-source library.

The compromise involved the acquisition of polyfill.io, a domain name linked to the open-source Polyfill project, in February. Polyfill.io is a service that automatically provides the necessary polyfills — pieces of code that enable modern web features to work in older browsers — to ensure that modern websites work seamlessly across different browsers.

According to researchers at Sansec Technology Co Ltd., since the domain and its GitHub account were acquired, the domain has started injecting malware on mobile devices via any site that embeds cdn.polyfill.io. The polyfill code is dynamically generated based on HTTP headers, and Sansec notes that this opens site visitors to multiple attack vectors.

In a separate report, C/side noted that “the malicious code dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users and delaying execution. The code is also obfuscated.”

The result is that sites using polyfill.io may, without their knowledge, redirect visitors away from their intended destination and to a malicious site. So far, users have reportedly been redirected to sports betting and adult content websites.

The compromise has also gained attention from Google LLC, which is now sending warnings about loading third-party JavaScript from domains, including polyfill.io and others.

Google is now sending a warning about loading 3rd party JS from domains like polyfill​.​io bootcss​.​com bootcdn​.​net & staticfile​.​org that may do nasty things to your users if your site uses JS from these domains. pic.twitter.com/EUVAgbFXJn

— Michal Špaček (@spazef0rze) June 25, 2024

Although the details of the compromise and malware injection are only making headlines today, the service’s original creator, Andrew Betts, warned on Feb. 26 that anyone using the site should remove it immediately.

If your website uses https://t.co/3xHecLPXkB, remove it IMMEDIATELY.

I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale. https://t.co/GYt3dhr5fI

— Andrew Betts (@triblondon) February 25, 2024

Eyal Paz, vice president of research at application security posture management platform provider OX AppSec Security Ltd., told SiliconANGLE that the supply chain attack highlights a critical issue with current-day web development: the trust placed in third-party libraries.

“AppSec teams need full visibility into all software deployed throughout their organization’s ecosystem,” Paz said. “To accomplish this, companies should be able to generate a Software Bill of Materials, which provides an accurate inventory of all of the components used in an application. Companies must also regularly assess the security posture of third-party libraries, using strong vulnerability management practices, to reduce the probability of transitive vulnerabilities and increased cyber risk.”

Image: Pixabay