The polyfill.io domain is being used to infect more than 100,000 websites with malware after a Chinese organization bought the domain earlier this year.
Now we're told pollyfill.io is serving malicious code hidden in those scripts, meaning anyone visiting a website using the domain will end up running that malware in their browser.in an advisory."It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users."
Sites that embed poisoned scripts from polyfill.io and also bootcss.com may end up unexpectedly redirecting visitors away from the intended location, and send them to malicious sites, Googleare already carrying the hostile scripts, according to the Sansec security forensics team, which on Tuesday claimed Funnull, a Chinese CDN operator that bought the polyfill.io domain and its associated GitHub account in February, has since been using the service in a supply chain attack.
In February, he said he had nothing to do with the domain name's sale, and presumably the associated GitHub repo, to the Chinese CDN, and urged everyone to remove its code from their webpages as a precaution following the change in ownership.of polyfill.io so that sites could continue to use the code for the meanwhile without having to load in stuff from a Chinese entity.