Printable Version of Topic

Posted by: Christian J Jun 29 2024, 04:25 AM

https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/

Today, cybersecurity company Sansec warned that the polyfill.io domain and service was purchased earlier this year by a Chinese company named 'Funnull' and the script has been modified to introduce malicious code on websites in a supply chain attack.

"However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," explains Sansec.

When the polyfill.io was purchased, the project developer warned that he never owned the polyfill.io site and that all websites should remove it immediately.

Posted by: pandy Jun 29 2024, 06:16 PM

And cdn.polyfill.io is yet another library, one assumes?

Hmm. That must be a risk with just about any library that lives on or connects to a remote server. mustn't it? In the wrong hands it can get a whole lot of new "features" all of a sudden...

Posted by: Christian J Jun 30 2024, 03:28 PM

Exactly! Same goes for browser extensions and mobile apps, BTW.

Posted by: pandy Jun 30 2024, 07:15 PM

Yeah, apps are a little scary since one usually know nothing about the people behind the app. And they almost always needs access to a lot of things on the phone.

The same can probably be true for computer programs if they interact with a server in some way. BTW my beloved little FW thingie TinyWall is good for that too. No program that I haven't explicitly allowed can call home.