The supply chain attack targeting the widely-used Polyfill[.]io JavaScript library is broader in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024.
This includes references to "https://cdn.polyfill[.]io" or "https://cdn.polyfill[.]com" in their HTTP responses, the attack surface management firm said.
"Approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany," it noted. "This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it."
Further analysis of the affected hosts has revealed domains tied to prominent companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson that reference the malicious endpoint in question.
Details of the attack emerged in late June 2024 when Sansec alerted that code hosted on the Polyfill domain had been modified to redirect users to adult- and gambling-themed websites. The code changes were made such that the redirections only took place at certain times of the day and only against visitors who met certain criteria.
The nefarious behavior is said to have been introduced after the domain and its associated GitHub repository were sold to a Chinese company named Funnull in February 2024.
The development has since prompted domain registrar Namecheap to suspend the domain, content delivery networks such as Cloudflare to automatically replace Polyfill links with domains leading to alternative safe mirror sites, and Google to block ads for sites embedding the domain.
While the operators attempted to relaunch the service under a different domain named polyfill[.]com, it was also taken down by Namecheap as of June 28, 2024. Of the two other domains registered by them since the start of July – polyfill[.]site and polyfillcache[.]com – the latter remains up and running.
On top of that, a more extensive network of potentially related domains, including bootcdn[.]net, bootcss[.]com, staticfile[.]net, staticfile[.]org, unionadjs[.]com, xhsbpza[.]com, union.macoms[.]la, newcrbpc[.]com, has been uncovered as tied to the maintainers of Polyfill, indicating that the incident might be part of a broader malicious campaign.
"One of these domains, bootcss[.]com, has been observed engaging in malicious activities that are very similar to the polyfill[.]io attack, with evidence dating back to June 2023," Censys noted, adding it discovered 1.6 million public-facing hosts that link to these suspicious domains.
"It wouldn't be entirely unreasonable to consider the possibility that the same malicious actor responsible for the polyfill.io attack might exploit these other domains for similar activities in the future."
The development comes as WordPress security company Patchstack warned of cascading risks posed by the Polyfill supply chain attack on sites running the content management system (CMS) through dozens of legitimate plugins that link to the rogue domain.
Software supply chain security firm Phylum, in a similar advisory, said that it found over 1,250 packages on PyPI and npm that reference the domain polyfill[.]io, urging users relying on the libraries to "check these references and understand the conditions under which they are invoked."