From 24749dc051f8c78ca0d27e43895f59824f7dbf8b Mon Sep 17 00:00:00 2001 From: zerb4t <117054988+zerb4t@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:59:37 -0700 Subject: [PATCH] compromises: polyfill.io publishing infrastructure Signed-off-by: zerb4t <117054988+zerb4t@users.noreply.github.com> --- .../compromises/2024/polyfill.md | 26 +++++++++++++++++++ supply-chain-security/compromises/README.md | 1 + 2 files changed, 27 insertions(+) create mode 100644 supply-chain-security/compromises/2024/polyfill.md diff --git a/supply-chain-security/compromises/2024/polyfill.md b/supply-chain-security/compromises/2024/polyfill.md new file mode 100644 index 000000000..9bfaf0b60 --- /dev/null +++ b/supply-chain-security/compromises/2024/polyfill.md @@ -0,0 +1,26 @@ + +# Polyfill.io Infrastructure Takeover Leading to Malware Distribution + +In February 2024, a Chinese company acquired control of the `polyfill dot io,com` domains, and the `polyfillpolyfill` GitHub account. + +In June 2024, Sansec observed malware being served from the `cdn dot polyfill dot io` domain. Other researchers discovered some of the malware's functions referenced in other domains including BootCSS, BootCDN and Staticfile, and based on exposed API keys in public GitHub repositories, proposed the same threat actor is behind all the domains. + +## Impact + +* While the observed malware only performed site redirection, malicious control of `cdn dot polyfill dot io` could result in arbitrary malicious JavaScript code execution in users' browsers. +* Namecheap shut down the domain for a period of time, and some threat feeds flagged the domain as malicious +* While polyfills shouldn't be required in modern browsers, and despite the project's creator warning users since February to steer away from the `polyfill dot io` domain, this incident prompted Fastly and Cloudflare to offer safer drop-in replacements +* Google Ads started disapproving ads pointing to sites using the affected domains +* Sansec estimated this incident affects over 100,000 websites, and Cloudflare's CEO said about 4% of the web used `polyfill dot io` + +## Type of Compromise + +This is a _publishing infrastructure_ compromise. + +## References + +* [Sansec Research](https://sansec.io/research/polyfill-supply-chain-attack) +* [BleepingComputer](https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/) +* [BleepingComputer](https://www.bleepingcomputer.com/news/security/polyfill-claims-it-has-been-defamed-returns-after-domain-shut-down/) +* [Fastly Community](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540) +* [Cloudflare Blog](https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/) diff --git a/supply-chain-security/compromises/README.md b/supply-chain-security/compromises/README.md index 41abf6e4f..c6e805610 100644 --- a/supply-chain-security/compromises/README.md +++ b/supply-chain-security/compromises/README.md @@ -30,6 +30,7 @@ of compromise needs added, please include that as well. | Name | Year | Type of compromise | Link | | ----------------- | ------------------ | ------------------ | ----------- | +| [Polyfill.io Infrastructure Takeover Leading to Malware Distribution](2024/polyfill.md) | 2024 | Publishing Infrastructure | [1](https://sansec.io/research/polyfill-supply-chain-attack) | | [Malware Disguised as Installer used to target Korean Public Institution](2024/targeted-signed-endoor.md) | 2024 | Trust and Signing | [1](https://asec.ahnlab.com/en/63396/) | | [3proxy signing incident](2024/laixi-3proxy.md) | 2024 | Trust and Signing | [1](https://news.sophos.com/en-us/2024/04/09/smoke-and-screen-mirrors-a-strange-signed-backdoor/) | | [xz backdoor incident](2024/xz.md) | 2024 | Malicious Maintainer | [1](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) |