polyfill.io
Polyfill.io CDN Supply Chain Attack
After the popular polyfill.io domain was acquired by Funnull, the CDN began serving malicious JavaScript to selected visitors. The injected code redirected specific mobile users toward scam and gambling sites while avoiding administrative viewers, letting a browser compatibility service become a targeted traffic switch.
- Date
- 2024-02-01 to 2024-06-27
- Category
- Open Source
- Target Surface
- Distribution
- Insertion Phase
- runtime
- Impact
- Malicious Redirection
- Cause
- Domain Acquisition
What Was Affected
Package
polyfill.io
LanguageJavaScript
ComponentCDN
Artifact typescript
Domain typeCDN
Domain
polyfill.io
Incident Context
- Motive
- Malicious
- Attribution
- Third Party
- Transitive
- Yes
- User Impact
- 100000
- Observed Duration
- 147 days
External References
Source Data
Source record: oss/polyfill.io/meta.yaml