this post was submitted on 26 Jun 2024
136 points (97.9% liked)

Tech

483 readers
1 users here now

A community for high quality news and discussion around technological advancements and changes

Things that fit:

Things that don't fit

Community Wiki

founded 9 months ago
MODERATORS
top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 21 points 5 months ago (1 children)

In a similar vein, Heinz once used a temporary domain for a promotion accessible by scanning a QR code on their bottles. The promotion ran its course, and they let the domain name expire.

Problem is these bottles were available on restaurant tables for much longer. Didn't take long before scanning the Heinz QR code at your table got you some pornography.

[–] [email protected] 3 points 5 months ago (1 children)
[–] towerful 15 points 5 months ago

People complain about the web build tool chain, bundlers, rollups etc.
And it has been and probably still is pretty stupid.
But at least you can pin and deploy all your dependencies before deploying.

This highlights why pulling in scripts at runtime from sources you don't control is a worse idea

[–] CodeMonkey 12 points 5 months ago (2 children)

This is not a supply chain attack, it is sudden extreme enshitification. according to the article, the attacker also bought the GitHub repo, so all releases should be considered tainted. The community will have to find a fork from before the acquisition and hope that there are no pre-purchase favors smuggled in.

[–] Kissaki 9 points 5 months ago* (last edited 5 months ago)

This is not a supply chain attack, it is sudden extreme enshitification. according to the article, the attacker also bought the GitHub repo

I don't see how buying the GitHub repo as well makes it not a supply chain attack but enshitification.

They bought into the supply chain. It's a supply chain attack.

[–] [email protected] 3 points 5 months ago

I thought Polyfill was a Google thing. I remember when they implemented it on YouTube and the Firefox performance was dire.

[–] [email protected] 12 points 5 months ago

This is the best summary I could come up with:


Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the pollyfill.io domain to immediately remove it.

More than 100,000 sites are already carrying the hostile scripts, according to the Sansec security forensics team, which on Tuesday claimed Funnull, a Chinese CDN operator that bought the polyfill.io domain and its associated GitHub account in February, has since been using the service in a supply chain attack.

Since February, "this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," Sansec, an e-commerce security company, warned, adding that any complaints about the malicious activity are quickly vanished from the GitHub repository.

In February, he said he had nothing to do with the domain name's sale, and presumably the associated GitHub repo, to the Chinese CDN, and urged everyone to remove its code from their webpages as a precaution following the change in ownership.

Soon after other popular CDN providers including Fastly, where Betts works today, and Cloudflare created mirrors of polyfill.io so that sites could continue to use the code for the meanwhile without having to load in stuff from a Chinese entity.

"The concerns are that any website embedding a link to the original polyfill.io domain will now be relying on Funnull to maintain and secure the underlying project to avoid the risk of a supply chain attack," Cloudflare's Sven Sauleau and Michael Tremante said in February.


The original article contains 657 words, the summary contains 238 words. Saved 64%. I'm a bot and I'm open source!

[–] 0x0 8 points 5 months ago* (last edited 5 months ago)

The polyfill.io domain is being used to infect more than 100,000 websites with malware after a Chinese organization bought the domain earlier this year.

Another post: Polyfill supply chain attack hits 100K+ sites

[–] [email protected] 7 points 5 months ago* (last edited 5 months ago) (1 children)

So, one would add

* polyfill.io * block

To their My Filters pane in ublock origin?

[–] b_van_b 3 points 5 months ago* (last edited 5 months ago)

This setting appears to work for me. It shows up as blocked in the logs. I've also blocked it in NoScript for good measure.

[–] [email protected] 2 points 5 months ago

Damn I had this on my noscript allowlist