Use Snyk for free to find and fix security issues in your applications today! https://snyk.co/ugLYn

In this video, we will be uncovering how a sneaky supply chain attack on the JavaScript Polyfill.io service compromised websites across the globe, including big names like Intuit, Square, the U.S. government and more. Stay tuned to find out how the attack occurred and what you can do to prevent it!

Learn more about this supply chain attack with polyfill[.]io and more in the related blog post: https://snyk.co/ug9d7

✍️ Resources ✍️

• Cloudflare CEO Tweet: https://x.com/eastdakota/status/1806064925670080935
• Tweet showing impacted U.S. government sites: https://x.com/silentpush_labs/status/1806055707642384802
• User-Agent Request Header Example: https://developer.mozilla.org/en-US/docs/Glossary/Request_header
• JavaScript Promise Example: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise
• Polyfill GitHub Repository: https://github.com/JakeChampion/polyfill-library
• Andrew Bett's Tweet warning everyone: https://x.com/triblondon/status/1761852117579427975
• GitHub Issue raising concerns of polyfill changes: https://web.archive.org/web/20240318120623/https://github.com/polyfillpolyfill/polyfill-service/issues/2834
• Another GitHub issue raising concerns: https://web.archive.org/web/20240624110153/https://github.com/polyfillpolyfill/polyfill-service/issues/2873
• BleepingComputer article: https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/
• Tweet indicating Google Ads accounts getting suspended: https://x.com/gwillem/status/1805696779729469662
• Sansec article announcing the discovery of this supply chain attack: https://sansec.io/research/polyfill-supply-chain-attack
• Polyfill owner's tweet indicating they're being maliciously defamed: https://x.com/Polyfill_Global/status/1805923380857897277
• BleepingComputer article on the unauthorized use of Cloudflare's name: https://www.bleepingcomputer.com/news/security/cloudflare-we-never-authorized-polyfillio-to-use-our-name/
• MalwareHunterTeam's tweet: https://x.com/malwrhunterteam/status/1806429093778559214
• mdmck10's tweet displaying additional domains impacted: https://x.com/mdmck10/status/1806349965733544160
• Example of SRI configuration: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#subresource_integrity_with_the_script_element
• Example of CSP configuration: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#example_3

Latest list of domains impacted:

• polyfill[.]io
• bootcdn[.]net
• bootcss[.]com
• staticfile[.]net
• staticfile[.]org
• unionadjs[.]com
• xhsbpza[.]com
• union.macoms[.]la
• newcrbpc[.]com

⏲️ Chapters ⏲️

00:00 - Intro

00:28 - What is a pollyfill and how does it work?

01:33 - How the attack started (February 2024)

02:09 - Google's Compromised Website Error Message (June 21st 2024)

02:33 - Published findings on malicious code (June 25th 2024)

02:57 - What happened since the findings

04:55 - What should you do?

05:45 - Security best practices

06:12 - Moral of the story?

06:26 - Outro

⚒️ About Snyk ⚒️

Snyk helps you find and fix vulnerabilities in your code, open-source dependencies, containers, infrastructure-as-code, software pipelines, IDEs, and more! Move fast, stay secure.

Learn more about Snyk: https://snyk.co/ugLYl

📱 Connect with Us 📱

🖥️ Website: https://snyk.co/ugLYl
🐦 X: http://twitter.com/snyksec
💼 LinkedIn: https://www.linkedin.com/company/snyk
💬 Discord: https://discord.gg/devsecops-community-918181751526948884

• ️ Subscribe: https://www.youtube.com/c/SnykSec
• 🔥 We're hiring! Check our open roles: https://snyk.co/ugLYp

🔗 Hashtags 🔗

#devsecops #polyfillio #supplychain #security