A recent supply chain attack has compromised over 100,000 websites by injecting malware through the popular Polyfill JS project. The incident, discovered by the Sansec Forensics Team, highlights the growing risks associated with open-source software dependencies.
The Polyfill JS library, used extensively to support older web browsers, has become the latest victim of a sophisticated supply chain attack. This attack emerged after a Chinese company acquired the domain and GitHub account associated with Polyfill in February 2024. Since the acquisition, the domain, cdn.polyfill.io, has been used to distribute malware to any site embedding the library. High-profile users of Polyfill include JSTOR, Intuit, and the World Economic Forum.
Sansec's analysis revealed that the malicious code, dynamically generated based on HTTP headers, specifically targets mobile users. One particular strain of the malware redirects users to a fake Google Analytics domain (www.googie-anaiytics.com), which in turn directs them to a sports betting site. The malware includes several sophisticated features to avoid detection, such as activation only on specific mobile devices at specific hours and deactivation in the presence of administrative users or web analytics services.
Polyfill JS malware
Sansec's forensics team decoded a sample of the malware, uncovering its methods and targets. The malware's code includes protections against reverse engineering and delays execution to evade detection by web analytics services. This ensures that it does not appear in site statistics, making it harder to trace the source of the infection.
Here's a breakdown of the malware's behavior:
- The malware checks whether the user is on a mobile device.
- Mobile users are redirected to a sports betting site using a fake Google Analytics domain.
- The code activates only at specific times to avoid detection and analysis.
- The malware deactivates when an admin user is detected or when certain web analytics services are found.
Impact and recommendations
Polyfill's original author has recommended discontinuing its use, noting that modern browsers no longer require such libraries. For those still needing Polyfill's functionality, trusted alternatives from Fastly and Cloudflare are available.
The attack underscores the importance of monitoring the dependencies in your software supply chain. Sansec recommends using their free Content Security Policy (CSP) monitoring service, Sansec Watch, to gain visibility into the code that users are loading. Additionally, their eComscan backend scanner has been updated to detect instances of the compromised Polyfill library.
Indicators of Compromise (IoCs)
- Redirect URL: https://kuurza.com/redirect?from=bitget
- Malicious ccript: https://www.googie-anaiytics.com/html/checkcachehw.js
- Fake Google Analytics: https://www.googie-anaiytics.com/ga.js
This Polyfill JS supply chain attack serves as a stark reminder of the vulnerabilities inherent in open-source dependencies. Developers are urged to review and monitor their software supply chains diligently, replace outdated libraries with trusted alternatives, and utilize security tools to detect and mitigate such threats effectively.
New Evasive Medusa Android Banking Trojan Variant Emerges
> has become the latest victim of a sophisticated supply chain attack
To be honest, this doesn’t sound sophisticated at all, but straight up simple and easily doable. You don’t even have to be a hacker or computer scientist or anything else to achieve this.
Agree with Stefan. Based on the article the impact is: “malware redirects users to a fake Google Analytics domain (www.googie-anaiytics.com), which in turn directs them to a sports betting site” which I dont think is in any way a “sophisticated” attack. In fact based on behavior its just open redirection attack. This is pretty lame