Tech giant Cloudflare urged customers to remove a popular open source library used to support older browsers after reports emerged this week that the tool is being used to distribute malware.
Polyfill, which is used by more than 100,000 websites, bridges compatibility gaps between modern code and older browsers.
Researchers at cybersecurity firm Sansec said in a report that Chinese company Funnull bought the polyfill.io domain and took control of its Github account.
The report notes that the original polyfill author, Fastly developer Andrew Betts, warned in February that anyone using it should remove it immediately, explaining that he never owned the domain name and had no influence over its sale.
Co/3xHecLPXkB, remove it IMMEDIATELY. I created the polyfill service project but I have never owned the domain name and I have had no influence over its sale.
Cloudflare leaders also disputed claims made on the polyfill.io website that they recommended the service or allowed the company to use their name on the website.
They said polyfill has ignored their requests to remove their name from the website and remove the false statements.
As of Thursday afternoon, the polyfill website currently does not load. Cloudflare's concerns about polyfill date back to Betts' comments in February, which prompted them to create their own versions of the service.
Concerns about supply chain attacks were realized this week, when Sansec said it found one strain of malware using polyfill to redirect mobile users to a sports betting site using a fake Google analytics domain.
On social media, the person behind polyfill's X account published multiple messages about the fiasco, denying the reports of a supply chain attack.
Researchers directed Recorded Future News to concerns raised about polyfill on GitHub that were deleted and scrubbed from the polyfill page.
Jones noted that the incident highlights the inherent vulnerability of relying on the security practices of third-party open-source maintainers.
The polyfill situation comes just months after two incidents highlighted the difficulties facing the open source community.
One month before that, experts found malicious code being embedded in a popular Linux tool known as XZ Utils.
Both incidents spotlighted the urgent need to address weaknesses in the management of open source software.
In the XZ Utils situation, malicious actors preyed on an exhausted maintainer to get access to the project and with OpenJS, the hackers repeatedly contacted maintainers demanding they be designated as a new maintainer of the project.
Critical Start's Jones said organizations need to implement stricter vetting procedures for adopted libraries and prioritize regular security audits to mitigate such risks.
Law enforcement searches of Clearview AI facial recognition doubled in past year.
TeamViewer investigating intrusion of corporate IT environment.
This Cyber News was published on therecord.media. Publication date: Thu, 27 Jun 2024 21:05:22 +0000