東芝や無印良品など、複数の企業で「不審なログイン画面」 各社が注意呼びかけ 「polyfill io」経由か - ITmedia NEWS
https://www.itmedia.co.jp/news/articles/2606/04/news102.html
『各社は発表時点で不正アクセスや情報漏えいは確認していないとしつつ、当該画面にID・パスワードを入力した利用者へパスワードの変更を呼びかけている。
告知を出したのは、無印良品を展開する良品計画、東芝、リクルートマネジメントソリューションズ、象印マホービンのほか、医歯薬出版、健康関連サービスのFiNC Technologies、ほぼ日など』
『発生した事象は、サイトの一部ページを開いた際、ユーザー名とパスワードの入力を求める認証画面が出るというもの。象印マホービンは6月3日付の告知で、URL表示が「polyfill.io」となったログイン画面の例を示し、同じ画面が出た場合は何も入力せず「キャンセル」を選ぶよう求めている』
What CVE should I use for the Polyfill[.]io supply chain attack? I see that CVE-2024-38526 exists, but it's specifically for pdoc. Is there a better one?
Y'all remember #PolyfillIO?
I realize the lesson there is; don't depend on code from domains you don't control, and in an ideal world that's what you should do
But is there still a need there? Are there #webPlatform features you'd like to use but you don't want to introduce a build process just to bundle the #polyfill from #NPM?
Or is there no point in #polyfills since #browsers don't share caches between origins these days so there's no precaching benefit anymore?
So, I'm thinking; what if I build polyfill.io, but on the Blockchain! Hey come back..
Hear me out; #fleekfunctions are immutable, and transparent. So long as the #fleeknetwork nodes can be trusted to execute the code properly (I presume there are cryptographic guarantees of output validity) then it could be safer from supply chain attacks.
#webDev #polyfillio #polyfill #supplyChain #hacking #web3 #blockchain #fleek #javaScript
On July 5th, PolyfillIO switched to polyfill[.]top
This domain is currently unblocked by uBlock Origin and all major blocklists.
Tweet: https://x[.]com/Polyfill_Global/status/1809122842145141114
Thread with more information and also making fun of Windows users.
384,000 sites pull code from sketchy code library recently bought by Chinese firm | @dangoodin
A supply-chain attack on Polyfill.io, a #JavaScript library, redirected users to malicious sites. So far, bootcss.com is the only domain showing any signs of potential malice. The nature of the other associated endpoints remains unknown
#CyberSecurity #SupplyChainAttack #WebDevelopment #WebProgramming #WebSecurity #Polyfill #PolyfillIO
> #China-based company #Funnull acquired the domain and the GitHub account that hosted the #JavaScript code. On June 25, researchers from #security firm Sansec reported that code hosted on the polyfill domain had been changed to redirect users to adult- and gambling-themed websites. The code was deliberately designed to mask the redirections by performing them only at certain times of the day and only against visitors who met specific criteria.
If you're using #polyfillio code on your site – like 100,000+ are – remove it immediately
https://www.theregister.com/2024/06/25/polyfillio_china_crisis/
The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected up to tens of millions of websites has been traced to a common operator. Researchers discovered a public GitHub repository with leaked API keys helping them draw a conclusion.
kyu3(キューさん) 
Tomodachi94
🪬🍄🌈🎮💻🚲🥓🎃💀🏴🛻♓🧿
iam-py-test 
WetHat💦
Mike Williamson
Marcel SIneM(S)US
SnoopGod Linux