Massive Supply Chain Attack on Polyfill.io and Other CDNs Exposes Millions of Websites
Researchers trace the breach to a single operator using leaked Cloudflare API keys, leading to widespread malware injection.
- Over 100,000 websites compromised by malicious code through Polyfill.io and other CDNs like BootCDN and Staticfile.
- Cloudflare denies any association with Polyfill.io, despite its name and logo being used without authorization.
- The attack has been ongoing since June 2023, with Chinese entity Funnull implicated in the breach.
- Polyfill.io's operators claim defamation and have relaunched the service under a new domain, polyfill.com.
- Security experts urge immediate removal of Polyfill.io code and recommend safer alternatives like Cloudflare's mirror.