The Polyfill.io breach is a significant supply chain attack that occurred in 2024, affecting over 100,000 websites. Polyfill.io, a service that provided JavaScript polyfills to ensure modern functionalities in older browsers, was compromised after its domain and associated GitHub account were acquired by a Chinese company named Funnull in February 2024.
The attackers modified the JavaScript code served by Polyfill.io to inject malicious scripts into websites using the service. This malware led to users being redirected to gambling and adult websites, often based on specific conditions like the user’s device and location. The attack was sophisticated, employing techniques to avoid detection by administrators and security tools.
The breach had widespread implications, impacting major companies and even some government websites. Security experts and the original developer of Polyfill have strongly recommended that websites immediately stop using any resources from the compromised domain and switch to these safer alternatives.
The incident highlights the growing risks associated with supply chain attacks, where vulnerabilities in third-party services can lead to large-scale compromises across many sites