Supply Chain Attack on Polyfill.io and WordPress Plugins Impacts Over 100,000 Websites

Jun 26, 2024, 05:06 AM

A significant supply chain attack has impacted over 100,000 websites using the Polyfill.io service. The attack began after the domain was acquired by the Chinese company 'Funnull,' which injected malicious code into the service. This code redirected visitors to unwanted sites without the website owners' knowledge. The attack has also affected WordPress plugins, with as many as 36,000 sites compromised. Security experts are advising immediate removal of the Polyfill.io code from affected websites to mitigate the risk. The cdn.polyfill.io domain is currently being used in the attack, and experts have called on Namecheap to take action. The attack was reported by darkreading.