InfoSecBulletin Cybersecurity for mankind
Over 100,000 websites were compromised in a recent supply chain attack. The attack injected malware into the popular Polyfill JS project. It was discovered by the Sansec Forensics Team and shows the increased risks of using open-source software.
The Polyfill JS library, which helps older web browsers, has been targeted in a supply chain attack. A Chinese company took control of the Polyfill domain and GitHub account in February 2024. After the acquisition, the domain, cdn.polyfill.io, was used to distribute malware to websites using the library. Notable users of Polyfill are JSTOR, Intuit, and the World Economic Forum.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Sansec found that the harmful code is specifically aimed at mobile users. It creates different versions of itself based on the HTTP headers. One version redirects users to a fake Google Analytics website, which then sends them to a sports betting site. The malware has advanced features to avoid being detected, like activating only on certain types of mobile devices at specific times, and deactivating when administrative users or web analytics services are present.
Polyfill JS malware:
Sansec’s forensics team decoded a sample of malware and found out how it works and who it targets. The malware has features that protect it from being analyzed and it also delays its execution to avoid being detected by web analytics services. This makes it difficult to track down where the infection originated from.
Impact and recommendations:
The original author of Polyfill has suggested not using it anymore since modern browsers no longer need it. However, for those still needing its functionality, there are trusted alternatives from Fastly and Cloudflare.
It’s important to monitor the dependencies in your software supply chain. Sansec offers a free monitoring service called Sansec Watch for Content Security Policy (CSP) to see the code users are loading. Also, their eComscan backend scanner now detects compromised Polyfill library instances.
Indicators of Compromise (IoCs)
Redirect URL: https://kuurza.com/redirect?from=bitget
Fake Google Analytics: https://www.googie-anaiytics.com/ga.js
This Polyfill JS attack shows that open-source dependencies can have vulnerabilities. Developers should carefully review and monitor their software supply chains. They should replace outdated libraries with trusted alternatives and use security tools to detect and prevent such threats.
