Polyfill.io owner punches back at 'malicious defamation' amid domain shutdown
No supply-chain attacks to see over here!
Updated After having its website shut down, the polyfill.io owner is fighting back against claims it smuggled suspicious code onto websites all across the internet.
In a series of angry Xeets over the past three days, what's likely the CDN operator that owns the Polyfill service accused Cloudflare, the media, and others of "malicious defamation" and "slander."
"We have no supply chain risks," the org claimed in one of several posts.
The angry missives follow multiple warnings from experts in the computer security industry — and even the creator of the open source Polyfill service project — telling anyone with a website using any JavaScript code from the polyfill.io domain to immediately remove it.
Following all that criticism, domain registrar Namecheap shut down polyfill.io. The site has since relaunched as polyfill[.]com, billed as a "free CDN for open source projects."
Back in February, CDN operator Funnull bought the .io domain and its associated GitHub account. Sometime after that, polyfill.io was caught sneaking naughty code onto sites in a supply-chain attack, according to e-commerce security outfit Sansec. More than 100,000 websites were at the start of the week carrying the site's scripts, the Sansec forensic team said.
We should note Funnull claims to be based in Slovenia while also "made in the USA," its various office addresses around the world on its main website don't exist, and its WhatsApp and WeChat contact number is in the Philippines. The site's underlying language and Telegram profile is in Mandarin, leading many to suspect the business is some kind of Chinese entity or is targeting Chinese customers. The Polyfill Twitter account meanwhile says it's based in the UK.
What's more, a Chinese-language outfit called ACB Group that advertises a range of web products, from CDNs to adult live-streaming video technology, may be the parent of Funnull as ACB offers Funnull as a CDN solution. One of Funnull's side sites also gives a real address in Manila, which may be where at least some of the team works.
- If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately
- Korean telco allegedly infected its P2P users with malware
- Batten down the hatches, it's time to patch some more MOVEit bugs
- US lawmakers wave red flags over Chinese drone dominance
Following the domain's sale in February, Cloudflare warned about it posing a supply-chain risk: Whoever controlled the .io could change the JavaScript code it offered to malicious scripts and infect a ton of sites all in one go. By Wednesday, Cloudflare said those worries had become a reality, and reported the Polyfill.io service was being used to inject malicious code into browsers.
Specifically, according to Cloudflare, "the polyfill.io service was being used to inject nefarious code that, under certain circumstances, redirected users to other websites." Sansec went into more detail in an earlier write-up, noting:
The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely. Sansec decoded one particular malware which redirects mobile users to a sports betting site using a fake Google analytics domain. The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours. It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.
"This is a real threat to the internet at large given the popularity of this library," Cloudflare CEO and co-founder Matthew Prince noted in an advisory on Wednesday along with CTO John Graham-Cumming and senior director Michael Tremante.
The cloud giant also spun up an automatic JavaScript URL rewriting service to make it easier for any Cloudflare-proxied websites to replace code from polyfill.io with that from Cloudflare's mirror.
"This will avoid breaking site functionality while mitigating the risk of a supply chain attack," the trio wrote. This feature has already activated on any website with a free plan, and paid-plans can turn it on with one click.
On Thursday, again via X/Twitter, whoever is behind the Polyfill service responded, describing Cloudflare's actions as "deplorable."
"Moving forward, I will be fully dedicated to developing a global CDN product that surpasses Cloudflare, showcasing the true power of capital," they added. The site owner claimed to have $50 million in funding, and added "the product design has been finalized." ®
Updated to add at 2000 UTC
It appears polyfill[dot]com is already toast. It does not resolve to any IP address, rendering it dead.