BleepingComputer reports that more than 100,000 websites have been compromised with malware due to a supply chain attack involving a script modification open-source library Polyfill.io after the domain was purchased by Chinese firm Funnull in February.
Acquisition of the domain led to Polyfill.io being CNAMEd to polyfill.io[.]bsclink[.]cn, which facilitated the deployment of malicious code redirecting to a fraudulent Google analytics domain and other fake websites, a report from Sansec showed. Further examination of the modified script revealed its elevated resistance to reverse engineering, preventing activation and execution until the detection of an admin user and a web analytics service, respectively. Such findings come after Polyfill project developer Andrew Betts warned website admins to remove polyfill.io following the sale of the domain, which he never owned, also prompting Fastly and Cloudflare to establish their respective mirrors of the service to ensure security. Meanwhile, Google noted that hundreds of thousands of websites could be subjected to supply chain attacks as similar unwanted redirects were also observed in Bootcss, Staticfile, and Bootcdn.