Formerly legitimate Polyfill.io domain abused to serve malicious code

A site formerly used to host a service geared towards adding JavaScript polyfills to web pages to ensure compatibility with older browsers is being abused to serve malicious scripts as part of a web-based supply chain attack.

Developers are urged to check their code and remove any references or calls to the dangerous polyfill.io domain.

The domain previously supported the open source Polyfill project but turned rogue following its sale in February 2024 and purchase by Funnull, a Chinese company. …

attack browsers check code compatibility developers domain host javascript malicious malicious scripts remove scripts service supply supply chain supply chain attack vulnerabilities web web development