The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites

Submitted ⁨⁨4⁩ ⁨months⁩ ago⁩ by ⁨0x815@feddit.org⁩ to ⁨technology@lemmy.world⁩

https://sansec.io/research/polyfill-supply-chain-attack

The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed (archive here) from the Github repository.

source

Comments

Sort:hotnew top

originalucifer@moist.catsweat.com ⁨4⁩ ⁨months⁩ ago
nah. over 100k sites ignored dependency risks, even after the original owners warned them this exact thing would happen.

the real story is 100k sites not being run appropriately.

source
- vzq@lemmy.blahaj.zone ⁨4⁩ ⁨months⁩ ago
  The hackers just engaged in a little bit of technical debt collecting ;)
  
  source
  - Feathercrown@lemmy.world ⁨4⁩ ⁨months⁩ ago
    I’m stealing this phrase
    
    source
    -> View More Comments
- douglasg14b@lemmy.world ⁨4⁩ ⁨months⁩ ago
  That’s not how systemic problems work.
  
  This is probably one of the most security ignorant takes on here.
  
  People will ALWAYS fuck up. The world we craft for ourselves must take the “human factor” into account.
  
  And the majority of industries that actually have immediate and potentially fatal consequences do exactly this, and have been for more than a generation now.
  
  source
  - oce@jlai.lu ⁨4⁩ ⁨months⁩ ago
    Ok, people will always fuck up, so what do you do?
    
    The majority of industries that actually have immediate and potentially fatal consequences do exactly this, and have been for more than a generation now.
    
    All the organizations (including public) getting ransomware and data stolen, it’s because the consequences are not that bad? It is not gross negligence?
    
    source
    -> View More Comments
  - rottingleaf@lemmy.zip ⁨4⁩ ⁨months⁩ ago
    
    People will ALWAYS fuck up. The world we craft for ourselves must take the “human factor” into account, otherwise we amplify the consequences of what are predictable outcomes.
    
    So what does it say about us diverting from purely server-side scripted message boards with pure HTML and tables, and not a line of JS? Yes, let’s get back there please. And no phone numbers.
    
    The majority of industries that actually have immediate and potentially fatal consequences do exactly this, and have been for more than a generation now.
    
    Boeing - we know where you’re goeing.
    
    Damn near everything you interact with on a regular basis has been designed at some point in time with human psychology in mind. Built on the shoulders of decades of research and study results, that have matured to the point of becoming “standard practices”.
    
    There’s one industry which kinda started like this, with proper HIG and standard key combinations and proven usability with screenreaders or by people with color blindness, autism, ADHD, whatever.
    
    Then came in people talking with the tone similar to, sorry, yours in the “People will ALWAYS fuck up” part came saying that people want nice, dynamic, usable websites with lots of cool new features, people are social, they want girls with real photos, names and phone numbers on their forums which BTW should be called social nets.
    
    By the way, we already had that with Flash and Java applets, some things of what I remember were still cooler than modern websites of the “web application” paradigm are now. And we had personal webpages with real names and contacts and photos. And there were tools allowing to make them easily.
    
    These people just hated the existing culture with its individualism and depth, the web applications should be able to own you and not be just another kind of embedded content, the personal webpages should be all the same, and of course normies wouldn’t want to come as guests into the nerdspace - no, they had those new social nets as their space, looking down on those nerds and freaks of my kind.
    
    Now - well, try using today’s web as a person impaired in any way.
    
    And those normies can’t really use it too, and too feel impaired, they just won’t admit it.
    
    source
    -> View More Comments
- ShaunaTheDead@fedia.io ⁨4⁩ ⁨months⁩ ago
  One place I worked at recently was still using Node version 8. Running npm install would give me a mini heart attack... Like 400+ critical vulnerabilities, it was several thousand vulnerabilities all around.
  
  source
  - corsicanguppy@lemmy.ca ⁨4⁩ ⁨months⁩ ago
    
    Running npm install would give me a mini heart attack
    
    It should; but more because it installs things right off the net with no validation. Consistency of code product is not the only thing you’re tossing.
    
    source
    -> View More Comments
  - Potatos_are_not_friends@lemmy.world ⁨4⁩ ⁨months⁩ ago
    After the first 100, the other 300 kinda don’t matter.
    
    source
  - joyjoy@lemm.ee ⁨4⁩ ⁨months⁩ ago
    If you’re on RHEL 8+, you can install the latest version of node with dnf.
    
    dnf install nodejs will likely install node 8 :(. Use dnf module install nodejs:20 to install the latest version.
    
    source
- homesweethomeMrL@lemmy.world ⁨4⁩ ⁨months⁩ ago
  
  the real story is 100k sites not being run appropriately.
  
  Same as it ever was. Same as it ever was. Same as it ever was.
  
  source
  - kautau@lemmy.world ⁨4⁩ ⁨months⁩ ago
    Yeah this is just capitalistic business in general. Don’t do anything proactive if it might reduce the bottom line in the short term. Blame others and beg for help when you weren’t proactive. Succeed singularly, fail collectively
    
    source
    -> View More Comments
  - thesystemisdown@lemmy.world ⁨4⁩ ⁨months⁩ ago
    This isn’t holding up, time isn’t after us.
    
    source
- best_username_ever@sh.itjust.works ⁨4⁩ ⁨months⁩ ago
  
  100k sites ignored dependency risks
  
  JS: typing is boring, warnings are boring, security is boring.
  
  source
  - Cosmicomical@lemmy.world ⁨4⁩ ⁨months⁩ ago
    Sure, the package managers of other languages are super safe
    
    source
    -> View More Comments
- ID411@lemmy.dbzer0.com ⁨4⁩ ⁨months⁩ ago
  But now where am I going to get my “china maleware” headline !?!
  
  source
  - Warl0k3@lemmy.world ⁨4⁩ ⁨months⁩ ago
    I don’t think we have to choose. “Maintain your websites so you don’t get taken advantage of”, and “Here’s an example of a major-world-power-affiliated group exploting that thing you didn’t do” are both pretty important stories.
    
    source
  - breakingcups@lemmy.world ⁨4⁩ ⁨months⁩ ago
    I mean, both are true? It’s not a manipulative headline in my opinion.
    
    source
  - themurphy@lemmy.ml ⁨4⁩ ⁨months⁩ ago
    The malware thing still deserves a headline. They just argue it’s stupid so many even have to use the library to begin with.
    
    source
    -> View More Comments
  - catloaf@lemm.ee ⁨4⁩ ⁨months⁩ ago
    Probably at your local asian gay bar.
    
    source
Supermariofan67@programming.dev ⁨4⁩ ⁨months⁩ ago
This is why ublock origin is an essential security tool.

source
- letsgo@lemm.ee ⁨4⁩ ⁨months⁩ ago
  What rules can we add that solve this problem? (I’ve tried DDG but didn’t find any results)
  
  source
  - Supermariofan67@programming.dev ⁨4⁩ ⁨months⁩ ago
    This one is already in the default uBlock filters - Badware risks
    
    I also strongly suggest adding big.oisd.nl as a filter list. It’s a large and well maintained domain blocklist (sourced from combining lots of other blocklists) that usually adds lots of these sorts of domains quickly and has very few false positives.
    
    If you want to take it even further, check out the Pro list and Thread Intelligence Feeds list here github.com/hagezi/dns-blocklists
    
    These can all be added to a pihole too if you use one.
    
    source
    -> View More Comments
  - ChilledPeppers@lemmy.world ⁨4⁩ ⁨months⁩ ago
    cdn.polyfill.io^ ? By now it was probably already added to the default lista tho…
    
    (I dont really understant these things tho, so correct me if I’m wrong)
    
    source
dan@upvote.au ⁨4⁩ ⁨months⁩ ago
My favourite part is that the developers that currently own it said:

Someone has maliciously defamed us. We have no supply chain risks because all content is statically cached

github.com/polyfillpolyfill/…/2890#issuecomment-2…

Completely missing the point that they are the supply chain risk, and the fact that malicious code was already detected in their system (to the point where Google started blocking ads for sites that loaded polyfill .io scripts.

source
- Melvin_Ferd@lemmy.world ⁨4⁩ ⁨months⁩ ago
  Pollyfilladmin
  
  source
  - JPSound@lemmy.world ⁨4⁩ ⁨months⁩ ago
    Pollyfillpassword
    
    source
    -> View More Comments
- Treczoks@lemmy.world ⁨4⁩ ⁨months⁩ ago
  I’m not into JS stuff, but when I read that google is blocking ads, shit must be flowing in gargantuan amounts…
  
  source
dan@upvote.au ⁨4⁩ ⁨months⁩ ago
Reposting my comment from Github:

A good reminder to be extremely careful loading scripts from a third-party CDN unless you trust the owner 100% (and even then, ownership can change over time, as shown here). You’re essentially giving the maintainer of that CDN full control of your site. Ideally, never do it, as it’s just begging for a supply chain attack. If you need polyfills for older browsers, host the JS yourself. :)

If you really must load scripts from a third-party, use subresource integrity so that the browser refuses to load it if the hash changes. A broken site is better than a hacked one.

And on the value of dynamic polyfills (which is what this service provides):

Often it’s sufficient to just have two variants of your JS bundles, for example “very old browsers” (all the polyfills required by the oldest browser versions your product supports) and “somewhat new browsers” (just polyfills required for browsers released in the last year or so), which you can do with browserslist and caniuse-lite data.

source
- echodot@feddit.uk ⁨4⁩ ⁨months⁩ ago
  Yeah I used to be guilty of this. Although in slight defense of myself I never used to use random sites like that I always used to pull everything from Google CDN since I can’t see that changing hands.
  
  They may very well shut it down without warning, but they’re probably not going to sell it to anyone.
  
  source
  - dan@upvote.au ⁨4⁩ ⁨months⁩ ago
    Yeah, it really depends on how much you trust the vendor.
    
    Google? Say what you want about the company, but they’ll never intentionally serve malware.
    
    Random company with no track record where we don’t even know who is maintaining the code? Much less trustworthy. The polyfill . io repo is currently owned by a Github user called “polyfillpolyfill” with no identifying information.
    
    source
- EleventhHour@lemmy.world ⁨4⁩ ⁨months⁩ ago
  Regular code review for security should be SOP
  
  source
  - dan@upvote.au ⁨4⁩ ⁨months⁩ ago
    You’d be surprised how much code people blindly reuse without even looking at it, especially in JavaScript. The JS standard library is ridiculously small, so nearly all JS apps import third-party code of some sort. One JS framework can pull in hundreds of third-party modules.
    
    source
    -> View More Comments
jamyang@lemmy.world ⁨4⁩ ⁨months⁩ ago
Man, the Chinese are becoming a new major nuisancec on internet.

source
- cheese_greater@lemmy.world ⁨4⁩ ⁨months⁩ ago
  Is therea way to ground them for a month while they think about what they did?
  
  source
  - joyjoy@lemm.ee ⁨4⁩ ⁨months⁩ ago
    All Chinese businesses are owned by the CCP, except the ones that get caught being naughty. Suddenly those are a private business with no ties to the party.
    
    source
  - Strykker@programming.dev ⁨4⁩ ⁨months⁩ ago
    All it would really take is internet providers to black hole the China AS numbers in their BGP configs. Then boom China basically can’t talk to the rest of the world.
    
    source
    -> View More Comments
  - btaf45@lemmy.world ⁨4⁩ ⁨months⁩ ago
    Last time they came to Jesus in China 20 million people died.
    
    en.wikipedia.org/wiki/Taiping_Rebellion
    
    source
    -> View More Comments
  - Syrc@lemmy.world ⁨4⁩ ⁨months⁩ ago
    I don’t know how viable would that be on a large scale, but they could just ban all China-based companies from operating outside like the US did with Tiktok.
    
    I think that would deal a decent blow on their economy, but I’m far from an expert in those fields so someone who knows better will probably come and debunk me.
    
    source
    -> View More Comments
Bertuccio@lemmy.world ⁨4⁩ ⁨months⁩ ago
Whichever editor let them post “100 thousand” should be spanked one 100 times with the severed hand of whatever asshole wrote it in the first place.

source
- Potatos_are_not_friends@lemmy.world ⁨4⁩ ⁨months⁩ ago
  
  spanked one 100 times
  
  One 100 times or 1 time, but 100 times?
  
  source
  - ericatty@lemmy.ml ⁨4⁩ ⁨months⁩ ago
    100x one 100 thousand times
    
    source
  - Lightsong@lemmy.world ⁨4⁩ ⁨months⁩ ago
    Yes
    
    source
  - Chewget@lemm.ee ⁨4⁩ ⁨months⁩ ago
    Or one,100? 1,hundred? 1’100? Eleventy 100?
    
    source
- JackbyDev@programming.dev ⁨4⁩ ⁨months⁩ ago
  1 hundred times!
  
  source
- sem@lemmy.blahaj.zone ⁨4⁩ ⁨months⁩ ago
  1000 hundred?
  
  source
LodeMike@lemmy.today ⁨4⁩ ⁨months⁩ ago
What’s the malware do?

source
- ikidd@lemmy.world ⁨4⁩ ⁨months⁩ ago
  Makes you hungry an hour later.
  
  source
  - LodeMike@lemmy.today ⁨4⁩ ⁨months⁩ ago
    Ah frick
    
    source
- UnderpantsWeevil@lemmy.world ⁨4⁩ ⁨months⁩ ago
  Frustrating that the article doesn’t specify and simply links to a different Github page which doesn’t clearly specify the problem either.
  
  I have to assume the site’s article was dynamically generated, without any actual tech journalist doing the reporting. The byline is “Sansec Forensics Team” which doesn’t even link out to the group. Also, the “Chinese Company” isn’t named either it the article or the references, which is incredibly shoddy reporting. The archive link is dead.
  
  This whole page is indicative of the failed state of tech journalism. A genuinely explosive story but its so threadbare and vague that it becomes meaningless.
  
  source
  - sorter_plainview@lemmy.today ⁨4⁩ ⁨months⁩ ago
    The site is Sansec. They uncovered it.
    
    source
- ILikeBoobies@lemmy.ca ⁨4⁩ ⁨months⁩ ago
  Selective advertising redirects
  
  source
  - LodeMike@lemmy.today ⁨4⁩ ⁨months⁩ ago
    Of course it does.
    
    source
fne8w2ah@lemmy.world ⁨4⁩ ⁨months⁩ ago
Wumao trolls incoming in 3…2…

source
- 0x815@feddit.org ⁨4⁩ ⁨months⁩ ago
  They must earn their 50 cents …
  
  source
  - echodot@feddit.uk ⁨4⁩ ⁨months⁩ ago
    Pretty well paid then
    
    source
cupcakezealot@lemmy.blahaj.zone ⁨4⁩ ⁨months⁩ ago
that’s not very nice to call javascript malware. i know it’s bad but still.

source
NutWrench@lemmy.world ⁨4⁩ ⁨months⁩ ago
This is probably connected to China cloning the entire GitHub website to their own servers.

source
- Kushan@lemmy.world ⁨4⁩ ⁨months⁩ ago
  I’d be surprised if it’s directly linked
  
  source
  - mightyfoolish@lemmy.world ⁨4⁩ ⁨months⁩ ago
    🥁 ba dum tish 🥁
    
    source
sunzu@kbin.run ⁨4⁩ ⁨months⁩ ago
Noscript would fix this issue... Deny most of that shit and internet still works... Mostly

source
- 9point6@lemmy.world ⁨4⁩ ⁨months⁩ ago
  Not a solution. Much of the modern web is reliant on JavaScript to function.
  
  Noscript made sense when the web was pages with superfluous scripts that enhanced what was already there.
  
  Much of the modern web is web apps that fundamentally break without JS. And picking and choosing unfortunately won’t generally protect from this because it’s common practice to use a bundler such as webpack to keep your page weight down. This will have been pulled in as a dependency in many projects and the site either works or does not based on the presence of the bundle.
  
  Not saying this is a great situation or anything, but suggesting noscript as a solution is increasingly anachronistic.
  
  source
  - homesweethomeMrL@lemmy.world ⁨4⁩ ⁨months⁩ ago
    
    Much of the modern web is reliant on JavaScript to function.
    
    “function” is doing a lot of lifting there. Trackers, ads, and assorted other bullshit is not the kind of functioning anyone needs.
    
    It’s true the average user gets flummoxed quickly when the scripts are blocked, but they can either sink (eat ads and trackers) or swim (learn what scripts to allow). (Spoiler: they almost always sink)
    
    source
- dactylotheca@suppo.fi ⁨4⁩ ⁨months⁩ ago
  
  and internet still works… Mostly
  
  That load-bearing “mostly” is doing a lot of work here.
  
  I invite everybody to find out how everything “mostly” works if you disable javascript
  
  source
faizalr@kbin.run ⁨4⁩ ⁨months⁩ ago
Again?

source
QuadratureSurfer@lemmy.world ⁨4⁩ ⁨months⁩ ago
That GitHub “archive here” link leads to a page where it hasn’t been archived… (or was the archive removed??).

source
- DocMcStuffin@lemmy.world ⁨4⁩ ⁨months⁩ ago
  Looks like someone tried to archive an archived page. You can see https://web.archive.org/… is listed twice in the url. I just trimmed off the first one then it works: web.archive.org/web/20240229113710/https:/…/2834
  
  source
- 0x815@feddit.org ⁨4⁩ ⁨months⁩ ago
  Sorry, it’s corrected now (and thanks@DocMcStuffin)
  
  source
intensely_human@lemm.ee ⁨4⁩ ⁨months⁩ ago
poly fill indeed

source
nutsack@lemmy.world ⁨4⁩ ⁨months⁩ ago
nice fake article

source