Tomodachi94What CVE should I use for the Polyfill[.]io supply chain attack? I see that CVE-2024-38526 exists, but it's specifically for pdoc. Is there a better one?
๐งฟ๐ชฌ๐๐๐ฎ๐ป๐ฒ๐ฅ๐๐๐ด๐ป๐บ๐ธY'all remember #PolyfillIO?
I realize the lesson there is; don't depend on code from domains you don't control, and in an ideal world that's what you should do
But is there still a need there? Are there #webPlatform features you'd like to use but you don't want to introduce a build process just to bundle the #polyfill from #NPM?
Or is there no point in #polyfills since #browsers don't share caches between origins these days so there's no precaching benefit anymore?
So, I'm thinking; what if I build polyfill.io, but on the Blockchain! Hey come back..
Hear me out; #fleekfunctions are immutable, and transparent. So long as the #fleeknetwork nodes can be trusted to execute the code properly (I presume there are cryptographic guarantees of output validity) then it could be safer from supply chain attacks.
#webDev #polyfillio #polyfill #supplyChain #hacking #web3 #blockchain #fleek #javaScript
iam-py-testOn July 5th, PolyfillIO switched to polyfill[.]top
This domain is currently unblocked by uBlock Origin and all major blocklists.
Tweet: https://x[.]com/Polyfill_Global/status/1809122842145141114
Thread with more information and also making fun of Windows users.
WetHat๐ฆ384,000 sites pull code from sketchy code library recently bought by Chinese firm | @dangoodin
A supply-chain attack on Polyfill.io, a #JavaScript library, redirected users to malicious sites. So far, bootcss.com is the only domain showing any signs of potential malice. The nature of the other associated endpoints remains unknown
#CyberSecurity #SupplyChainAttack #WebDevelopment #WebProgramming #WebSecurity #Polyfill #PolyfillIO
> #China-based company #Funnull acquired the domain and the GitHub account that hosted the #JavaScript code. On June 25, researchers from #security firm Sansec reported that code hosted on the polyfill domain had been changed to redirect users to adult- and gambling-themed websites. The code was deliberately designed to mask the redirections by performing them only at certain times of the day and only against visitors who met specific criteria.
Mike WilliamsonIf you're using #polyfillio code on your site โ like 100,000+ are โ remove it immediately
https://www.theregister.com/2024/06/25/polyfillio_china_crisis/
Marcel SIneM(S)US#JavaScript-Service Polyfill.io: 100.000 Sites binden Schadcode รผber CDN ein | Developer https://www.heise.de/news/Jetzt-handeln-Schadcode-ueber-CDN-des-JavaScript-Service-Polyfill-io-verteilt-9778256.html #polyfillio
SnoopGod LinuxPolyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator
#CDN #CLOUDFLARE #POLYFILLIO #SUPPLYCHAINATTACK https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/
#CDN #CLOUDFLARE #POLYFILLIO #SUPPLYCHAINATTACK https://www.bleepingcomputer.com/news/security/polyfillio-bootcdn-bootcss-staticfile-attack-traced-to-1-operator/
Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator
The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected up to tens of millions of websites has been traced to a common operator. Researchers discovered a public GitHub repository with leaked API keys helping them draw a conclusion.
> The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator
> Researchers discovered a public GitHub repository where the purported operators of Polyfill.io had accidentally exposed their Cloudflare secret keys.
LOL, FAIL!
#polyfill #polyfillio #cloudflare #bootcdn #bootcss #staticFile #security
Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator
The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected up to tens of millions of websites has been traced to a common operator. Researchers discovered a public GitHub repository with leaked API keys helping them draw a conclusion.