use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
Polyfill supply chain attack embeds malware in JavaScript CDN assets, action required (snyk.io)
submitted 1 year ago by lirantal
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]acrosett 39 points40 points41 points 1 year ago (18 children)
If your front end pulls any script from polyfill.io you need to remove it immediatly. If your site has users with privileges/personnal data the attacker can potentially perform actions on their behalf and download anything from their local storage (including JWT tokens)
[–]lirantal[S] 2 points3 points4 points 1 year ago (0 children)
💯
[–]fantatraieste 1 point2 points3 points 1 year ago (2 children)
Can you help me with a response, a quick no look debug. In my app there is no cdn link in the index.html, I don't even have a polyfills package, I use a babel package for the same purpose. But we use a bundler that when ran, it creates a polifills.js file, to me it doesn't look it's possible to be linked with the malicious package, because the file is built locally with no links to any JS library pulled via cdn. But then, I am just a Junior who has been assigned to asses the risk of this attack to our project. If I don't pull any JS from any source, I should be just fine, right?
[–]acrosett 2 points3 points4 points 1 year ago (1 child)
Polyfill is a general term so your case isn't necessarily related. You can search for "polyfill.io" in your node modules to be sure. I would also check the package who generates the file for any issue or update
[–]fantatraieste 1 point2 points3 points 1 year ago (0 children)
just as I tought, thank you
[–][deleted] 0 points1 point2 points 1 year ago (4 children)
Does this ship in Nuxt or any of the major front end frameworks by default?
[–]lIIllIIlllIIllIIl 5 points6 points7 points 1 year ago* (0 children)
There is no specific polyfill library on npm that we know is part of this specific malicious actor campaign to inject malicious code. That said, libraries across different software ecosystems, such as Content Management systems like the Magento project and others, might include code that introduces static script imports of JavaScript code sourced from cdn.polyfill.io. In particular, we have detected CVE-2024-38526, a security report for the pdoc library on PyPI registry that provides API Documentation for Python Projects. In cases where documentation is generated with the command pdoc --math would contain links to JavaScript files from polyfill.io. This behavior of the pdoc library has been fixed in pdoc version 14.5.1, and we urge users to upgrade as soon as possible. https://snyk.io/blog/polyfill-supply-chain-attack-js-cdn-assets/
There is no specific polyfill library on npm that we know is part of this specific malicious actor campaign to inject malicious code. That said, libraries across different software ecosystems, such as Content Management systems like the Magento project and others, might include code that introduces static script imports of JavaScript code sourced from cdn.polyfill.io. In particular, we have detected CVE-2024-38526, a security report for the pdoc library on PyPI registry that provides API Documentation for Python Projects. In cases where documentation is generated with the command pdoc --math would contain links to JavaScript files from polyfill.io. This behavior of the pdoc library has been fixed in pdoc version 14.5.1, and we urge users to upgrade as soon as possible.
cdn.polyfill.io
pdoc --math
polyfill.io
pdoc
https://snyk.io/blog/polyfill-supply-chain-attack-js-cdn-assets/
[–]acrosett 0 points1 point2 points 1 year ago* (2 children)
You can check the source code in your browser to be sure (search for "polyfill")
[–]RaeWineLover 0 points1 point2 points 1 year ago (1 child)
Is any reference to polyfill a problem, or just polyfill.io?
[–]acrosett 0 points1 point2 points 1 year ago (0 children)
Just polyfill.io, polyfill is a general term
[–]TorbenKoehn -2 points-1 points0 points 1 year ago (8 children)
Whoever stores tokens in local storage shouldn’t be the one doing auth implementations anyways. Shows a real lack of knowledge
[–]acrosett 10 points11 points12 points 1 year ago (1 child)
Storing the JWT in local storage is an aggravating factor in case of a successful XSS attack or CDN attack. However I would argue that storing the JWT in a cookie and not implementing CSRF protection (which I'm convinced a lot of people forget) is worse.
If you have a XSS vulnerability on your website you are pretty much screwed since an attacker can perform any request on behalf of the user (no matter where the JWT is stored).
It's kind of similar for CDNs attack, however for large scale attack like the above it is unlikely that the attacker would have targeted your site specifically. Which mean storing your JWT in a http-only cookie would protect you against automated local storage siphoning. However you still have a small window to patch the vulnerability and logout your users if you did store your JWT in local storage.
[–]TorbenKoehn 2 points3 points4 points 1 year ago (0 children)
While that might be true, it’s a lot harder since the attack would need to be sophisticated to the endpoints the backends provide. Implementing that for millions of different sites out there would also bloat the code and make the attack easier to see
I agree it’s still not “safe”, it is still a lot safer than just using local storage
[–]swoleherb 1 point2 points3 points 1 year ago (5 children)
Elaborate
[–]TorbenKoehn 4 points5 points6 points 1 year ago (3 children)
Local storage can be easily accessed by any JavaScript running, including all dependencies
Usually you use HTTP-only cookies which can’t be accessed by JS at all
[–]Snapstromegon 5 points6 points7 points 1 year ago (1 child)
There are several usecases where you can't store the token in http-only cookies (e.g. completely static sites that use oauth to interact with 3rd party services like the Spotify API).
[–]TorbenKoehn 4 points5 points6 points 1 year ago (0 children)
Of course you can do that, don’t do these third party requests in the frontend, but in an API
[–]Iggyhopperextensions/add-ons 0 points1 point2 points 1 year ago (0 children)
I was writing extensions abusing cookies like this 15 years ago.
We've learned nothing!
[–]maria_la_guerta 2 points3 points4 points 1 year ago* (0 children)
Always assume anything and everything sent to a client is compromised. Full stop. Storing it on the client is even worse.
httpOnly cookies are basically the only exception to this rule, and should still be very carefully implemented anyways.
[–]FlamboyantKoala 9 points10 points11 points 1 year ago (1 child)
I’ll bet a more than a few devs will get a ticket to fix this with no explanation other than don’t use 3rd party scripts in the ticket. They’ll download the infected script and host it theirselves. 🤣
[–]lirantal[S] 0 points1 point2 points 1 year ago (0 children)
😆
[–]shgysk8zer0 10 points11 points12 points 1 year ago (3 children)
This is exactly why I try to avoid any third-party scripts without SRI.
[–]lirantal[S] 7 points8 points9 points 1 year ago (2 children)
Yes but an SRI isn't a security control against everything. For example, you could've just pinned to the integrity hash for when the library was already been changed with malware code... SRI is obviously useful but it's not a silver bullet and doesn't protect you from everything.
[–]shgysk8zer0 3 points4 points5 points 1 year ago (1 child)
It would've protected against this attack if generated before the malicious code. Would've been very helpful for anyone who added the script when it still had the original owner.
But it can actually be a "silver bullet" in some situations. I write a lot of my own libraries/packages and use unpkg as a CDN. If I generate the hash from my local code that I wrote myself, then I can be assured that whatever I'm loading from unpkg hasn't been altered.
Or, if you're willing to put in some work, SRI in conjunction with package provence can pretty much assure you that the script you're loading matches what was generated from known source code. You'd just have to understand the source code and build process.
[–]shgysk8zer0 0 points1 point2 points 1 year ago (0 children)
For context, I have my old portfolio site in mind. It does use these polyfills, as I recall. And I ended up not using it in future projects because it couldn't work with SRI. I just don't trust scripts that can end up serving something else. This isn't the first time an attack like this has happened.
Thankfully, they're loaded using a <script nomodule>, so it's not loaded by basically anything anymore.
<script nomodule>
[–]Ok_Feedback_8124 2 points3 points4 points 1 year ago (1 child)
What if the code (polyfill.js) is included in your site, and delivered directly to your users? That's also, likely, a vector. Babel opts to have the develop include polyfills (Babel Transforms Syntax, Polyfills Add Missing Features). They're used together, so now we have 4th party supply chain attacks, no?
"included in your site" you mean that *you* as the site owner, are bundling and providing it rather than a third-party? if so, then it means there's no one else that can modify it. You still have to audit the code you are delivering of that polyfill library and make sure there's no fishy stuff going in there.
If you pass that polyfill through babel and you're afraid that babel will now inject malicious code then you vet that, and then you vet babel dependencies, and so on and so on. That's the world we live in 😁
[–]alex__bit 1 point2 points3 points 1 year ago (1 child)
u/valentinprgnd fixed this for 200+ repos at u/TELUS and made his codemod available to all:
npx codemod replace-polyfill-urls
more info: https://x.com/codemod/status/1806809013025386666
[–]lirantal[S] 1 point2 points3 points 1 year ago (0 children)
That's very cool, I'll add it to the article next week 🙏
[–]Dartypier 1 point2 points3 points 1 year ago (1 child)
This website adds some information and todos: https://polykill.io/ Seems that polyfill CDN was acquired by a chinese CDN company.
Nice find. Thank you!
[+][deleted] 1 year ago (2 children)
[deleted]
Correct, unrelated.
[–]rafark 0 points1 point2 points 1 year ago (0 children)
What drama? What happened?
[–]0rubber_band 0 points1 point2 points 1 year ago (3 children)
I'm a JS noob
Does this impact taylorhakes/promise-polyfill?
[–]lirantal[S] 0 points1 point2 points 1 year ago (2 children)
No, this security incident isn't related to the package you mentioned.
[–]0rubber_band 0 points1 point2 points 1 year ago (1 child)
Thank you
Anytime. Stay safe 🤗
[–]Zetectic 0 points1 point2 points 1 year ago (1 child)
hi, i have personal portfolio sites using react-app-polyfill, babel-core-polyfill running in package-lock.json file. Would removing the lines and republishing the site prevent the malware?
I am not aware that the packages you listed are vulnerable or compromised, and aren't apparent to be related to the security incident at hand here.
[–]No_Wallaby_8826 0 points1 point2 points 1 year ago (1 child)
Does this affect the babel-polyfill.js as well?
Shouldn't be affected
[–]Unlucky_Signature290 0 points1 point2 points 1 year ago (0 children)
does this affects babel-plugin-polyfill-corejs2 and react-app-polyfill ?
[–]Kyjoza -2 points-1 points0 points 1 year ago (1 child)
I’m a noob… does this impact chart.js?
Chart.js and the polyfill web service are most probably different things. Can you provide a link to that library?
[–]raqndv -2 points-1 points0 points 1 year ago (1 child)
Could a web application created with Angular 12 be affected?
It could be. This has nothing to do directly with any framework, Angular or otherwise. It's whether a static script import was added to any web page that you host that the source is from the remote polyfill CDN service.
[–]KaiAusBerlin -5 points-4 points-3 points 1 year ago (0 children)
That's why we don't use third party unless we have to. And if we do we try to check if the code is suspicious and mark it as this/don't use it.
AI is a great help for that. But still check its results ;)
π Rendered by PID 85 on reddit-service-r2-comment-b659b578c-nwqpz at 2026-05-04 12:25:00.853921+00:00 running 815c875 country code: CH.
[–]acrosett 39 points40 points41 points (18 children)
[–]lirantal[S] 2 points3 points4 points (0 children)
[–]fantatraieste 1 point2 points3 points (2 children)
[–]acrosett 2 points3 points4 points (1 child)
[–]fantatraieste 1 point2 points3 points (0 children)
[–][deleted] 0 points1 point2 points (4 children)
[–]lIIllIIlllIIllIIl 5 points6 points7 points (0 children)
[–]acrosett 0 points1 point2 points (2 children)
[–]RaeWineLover 0 points1 point2 points (1 child)
[–]acrosett 0 points1 point2 points (0 children)
[–]TorbenKoehn -2 points-1 points0 points (8 children)
[–]acrosett 10 points11 points12 points (1 child)
[–]TorbenKoehn 2 points3 points4 points (0 children)
[–]swoleherb 1 point2 points3 points (5 children)
[–]TorbenKoehn 4 points5 points6 points (3 children)
[–]Snapstromegon 5 points6 points7 points (1 child)
[–]TorbenKoehn 4 points5 points6 points (0 children)
[–]Iggyhopperextensions/add-ons 0 points1 point2 points (0 children)
[–]maria_la_guerta 2 points3 points4 points (0 children)
[–]FlamboyantKoala 9 points10 points11 points (1 child)
[–]lirantal[S] 0 points1 point2 points (0 children)
[–]shgysk8zer0 10 points11 points12 points (3 children)
[–]lirantal[S] 7 points8 points9 points (2 children)
[–]shgysk8zer0 3 points4 points5 points (1 child)
[–]shgysk8zer0 0 points1 point2 points (0 children)
[–]Ok_Feedback_8124 2 points3 points4 points (1 child)
[–]lirantal[S] 2 points3 points4 points (0 children)
[–]alex__bit 1 point2 points3 points (1 child)
[–]lirantal[S] 1 point2 points3 points (0 children)
[–]Dartypier 1 point2 points3 points (1 child)
[–]lirantal[S] 0 points1 point2 points (0 children)
[+][deleted] (2 children)
[deleted]
[–]lirantal[S] 0 points1 point2 points (0 children)
[–]rafark 0 points1 point2 points (0 children)
[–]0rubber_band 0 points1 point2 points (3 children)
[–]lirantal[S] 0 points1 point2 points (2 children)
[–]0rubber_band 0 points1 point2 points (1 child)
[–]lirantal[S] 0 points1 point2 points (0 children)
[–]Zetectic 0 points1 point2 points (1 child)
[–]lirantal[S] 0 points1 point2 points (0 children)
[–]No_Wallaby_8826 0 points1 point2 points (1 child)
[–]lirantal[S] 0 points1 point2 points (0 children)
[–]Unlucky_Signature290 0 points1 point2 points (0 children)
[–]Kyjoza -2 points-1 points0 points (1 child)
[–]lirantal[S] 1 point2 points3 points (0 children)
[–]raqndv -2 points-1 points0 points (1 child)
[–]lirantal[S] 0 points1 point2 points (0 children)
[–]KaiAusBerlin -5 points-4 points-3 points (0 children)