Particle.news

Download on the App Store

Massive Supply Chain Attack on Polyfill.io and Other CDNs Exposes Millions of Websites

Researchers trace the breach to a single operator using leaked Cloudflare API keys, leading to widespread malware injection.

  • Over 100,000 websites compromised by malicious code through Polyfill.io and other CDNs like BootCDN and Staticfile.
  • Cloudflare denies any association with Polyfill.io, despite its name and logo being used without authorization.
  • The attack has been ongoing since June 2023, with Chinese entity Funnull implicated in the breach.
  • Polyfill.io's operators claim defamation and have relaunched the service under a new domain, polyfill.com.
  • Security experts urge immediate removal of Polyfill.io code and recommend safer alternatives like Cloudflare's mirror.
Hero image