On July 5th, PolyfillIO switched to polyfill[.]top
This domain is currently unblocked by uBlock Origin and all major blocklists.
Tweet: https://x[.]com/Polyfill_Global/status/1809122842145141114
Thread with more information and also making fun of Windows users.

#PolyfillIO #PolyfillIOAttack

uBlock Origin has blocklisted polyfill[.]com

https://github.com/uBlockOrigin/uAssets/pull/24272

#uBlockOrigin #polyfillIo #polyfillIoAttack

GitHub has placed a warning on the PolyfillIO repository (https://github.com/polyfillpolyfill/polyfill-service), and has denied access for non-logged in users. The other two repositories owned by that account are unblocked. Dismissing the warning appears to be permanent for an account.

#PolyfillIo #polyfillIoAttack #GitHubSecurity

PolyfillIO maintainer denies they are serving malicious JavaScript

Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached. Any involvement of third parties could introduce potential risks to your website, but no one would do this as it would be jeopardize our own reputation.

https://github.com/polyfillpolyfill/polyfill-service/issues/2890#issuecomment-2191461961

#polyfillIo #polyfillIoAttack

If you're still using polyfill.io you probably want to replace/remove it IMMEDIATELY. The domain has been sold and the new owners are injecting #malware (1).

If you absolutely have to use externally hosted #JavaScript and #CSS, it's a good idea to secure it with #SubresourceIntegrity (2). It's supported by most old browsers you're probably polyfilling for.

(1) https://polykill.io/
(2) https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

#polyfillio #polyfillioattack #supplychainattack