This is the best summary I could come up with:
Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the pollyfill.io domain to immediately remove it.
More than 100,000 sites are already carrying the hostile scripts, according to the Sansec security forensics team, which on Tuesday claimed Funnull, a Chinese CDN operator that bought the polyfill.io domain and its associated GitHub account in February, has since been using the service in a supply chain attack.
Since February, “this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io,” Sansec, an e-commerce security company, warned, adding that any complaints about the malicious activity are quickly vanished from the GitHub repository.
In February, he said he had nothing to do with the domain name’s sale, and presumably the associated GitHub repo, to the Chinese CDN, and urged everyone to remove its code from their webpages as a precaution following the change in ownership.
Soon after other popular CDN providers including Fastly, where Betts works today, and Cloudflare created mirrors of polyfill.io so that sites could continue to use the code for the meanwhile without having to load in stuff from a Chinese entity.
“The concerns are that any website embedding a link to the original polyfill.io domain will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack,” Cloudflare’s Sven Sauleau and Michael Tremante said in February.
The original article contains 657 words, the summary contains 238 words. Saved 64%. I’m a bot and I’m open source!
You start to wonder how many CDN’s have been compromised in the past, or if they have actually been discovered. Maybe this company did it the stupid way and got caught and someone else has not been caught.
Also, aren’t there sum checkings implemented client side, or does the server give you the sum if you select the “latest” tag? I seem to remember there was some sort of checking, but I dunno.
This one was a known bad actor, one of the polyfill devs has been warning since February. But people blindly used the cdn anyway