Security Alert: Supply Chain Attack

Malware compromises more than 100,000 JavaScript websites.

By Louise Dalton
Origina Security Operations Analyst

and Matt Woodford
Origina Pre-Sales Specialist and Integration Technologist

There is a significant JavaScript supply chain vulnerability involving the widely used JavaScript file hosted on the domain. It is believed that over 100,000 websites use the popular JavaScript Content Delivery Network (CDN) service, The domain might have also been compromised.

The domain was acquired by the Chinese company Funnull on February 24, 2024, and its traffic was redirected to Baishan Cloud CDN.

Baishan Cloud CDN is a cloud-based service provided by Baishan Cloud, a Chinese company specializing in cloud services and network solutions. A CDN is a network of servers distributed globally to deliver content more efficiently to users by caching copies of content closer to where the users are located. This reduces latency, speeds upload times, and improves the overall user experience.

The original developer of the Polyfill service, believed to be Andrew Betts, never owned the domain or had influence over the sale. In fact, on February 25, 2024, Betts posted on his X account that “If your website uses, remove it IMMEDIATELY. I created the polyfill service project, but I have never owned the domain name and I have no influence over its sale.”

Since then, this domain was caught injecting malware (malicious JS injection) via any site that embeds, which affects landing pages, redirecting mobile visitors to scan sites and potentially planting back-doors. These actions could lead to monitoring user traffic and malicious interception of sensitive information, including credential theft and other security issues.

Incidentally, complaints on the associated GitHub site, also believed to be owned by Funnull, have been deleted.

Here’s how it works.

  1. User embeds into their website to enable function on older browsers.
  2. User’s website connects with compromised domain.
  3. Victims connect with compromised website/malicious JS injection.
  4. Victims get redirected to alternative website that might steal credentials and inject malware.

What is Polyfill?

Polyfill is an open-source library, usually referring to Java Script, which can be implemented to allow developers utilize older browsers. The polyfill code is dynamically generated based on the HTTP headers, so numerous attack vectors could be possible.

How Polyfill Was Used in Cyberattack

Websites can embed the Polyfill library using the cdn[.]polyfill[.]io domain. When developers embedded the scripts into their websites, they now pulled code directly from the Chinese company’s site.

The attack is said to have occurred after a Chinese company who acquired the domain modified a script to redirect users to both malicious and scam sites without the website owner’s knowledge.

The modified script is primarily used to redirect users to scam sites, such as a fake Sportsbook site. It does this through a fake Google analytics domain (www[.]googie-anaiytics[.]com) or redirects like kuurza[.]com/redirect?from=bitget

According to Sansec, it has been difficult to fully analyze the modified script since it uses very specific targeting and is resistant to reverse engineering.

Steps to Mitigate Polyfill Supply Chain Attack

To mitigate these risks, developers should follow these two steps:

Step 1: Identify usage. Use a code search tool or integrated development environment (IDE) to search for instances of in source code across all projects within the organization. Software Bill of Materials (SBOM) may also assist.

Step 2: Replace with a secure version. Fastly has taken a snapshot of the code before it was sold to Funnull and is hosting it at Use this remote host until you are able to download locally and host yourself.

Developers should download the polyfill.js file locally, scan it for vulnerabilities, and host on internal systems. Replace all instances of <script src=”//”… with the new secure <scriptsrc=”//…” or locally hosted polyfill JavaScript file.


Indicators of Compromise (IOCs)

IOCs can include, but are not limited to:


A certified CompTIA Cybersecurity Analyst, Louise Dalton previously worked in cybersecurity analysis and response for Hewlett Packard. She has a master’s degree in cybersecurity.

Matt Woodford is a Solutions Architect specializing in commerce-driven cloud technologies. He has more than 25 years of experience designing and implementing complex, integrated IBM e-commerce solutions.

Is your legacy estate really protected? Ad graphic to download Origina Securing Legacy Estates guide.


Gain insight into industry-only news, access to webinars, tips and tricks, blog posts, podcasts, and guides, surrounding topics like cybersecurity, reducing software support and maintenance costs and much more, all delivered to your inbox each month.