Full Report
A Chinese company named Funnull acquired the Polyfill domain and GitHub repo, and inserted malware into polyfill.js that redirected users to gambling websites. Further pivoting revealed that Funnull had exposed a CloudFlare API key that linked the company to several CDN provid...
Analysis Summary
# Incident Report: Polyfill Supply Chain Compromise via Funnull Acquisition
## Executive Summary
A malicious actor, operating under the guise of the Chinese company Funnull, gained control of the Polyfill domain and GitHub repository. They injected malware into the `polyfill.js` file to redirect users to gambling websites, constituting a severe supply chain attack. Subsequent investigation led to the discovery of an exposed CloudFlare API key linked to Funnull, suggesting broader access to multiple CDN providers.
## Incident Details
- Discovery Date: June 25, 2024 (as per reference publication date)
- Incident Date: Attack commenced sometime after Funnull acquired control of the assets.
- Affected Organization: Polyfill (via domain/repo acquisition)
- Sector: Software/Infrastructure (CDN services)
- Geography: Unknown initial access point; impact is global due to CDN distribution.
## Timeline of Events
### Initial Access
- Date/Time: Post-acquisition of Polyfill domain and GitHub repo by Funnull.
- Vector: Insider Threat / Supply Chain Takeover.
- Details: The malicious entity (Funnull) seemingly gained legitimate control over the infrastructure hosting the Polyfill project assets. Files were subsequently modified by the new maintainers.
### Lateral Movement
- Details: Not explicitly detailed, but the exposure of a CloudFlare API key suggests potential organizational compromise beyond just the single repository, leading to multiple CDN provider exposure.
### Data Exfiltration/Impact
- Details: The primary impact was the injection of malicious code into `polyfill.js`, leading to the redirection of end-users to unauthorized gambling websites (Defacement/Malicious Redirection).
### Detection & Response
- Details: The incident was detected externally, likely by monitoring user reports or security researchers identifying the malicious redirects originating from the widely used library. Specific response actions taken by the security community or original maintainers are not detailed, but the removal of the malicious payload would be paramount.
## Attack Methodology
- Initial Access: Supply Chain Compromise via Acquisition/Insider Threat (taking control of trusted repositories).
- Persistence: Maintaining control over the repository and file hosting infrastructure.
- Privilege Escalation: Not explicitly needed if initial access was successful control of administrative assets.
- Defense Evasion: Utilizing a previously trusted domain and library for distribution.
- Credential Access: **Implied:** Exposure of a CloudFlare API key linked to Funnull.
- Discovery: Not detailed.
- Lateral Movement: **Implied:** Use of the exposed CloudFlare key to pivot to other CDN providers.
- Collection: Not detailed, though redirection to gambling sites suggests data/traffic harvesting might have been secondary.
- Exfiltration: Redirection of user traffic.
- Impact: Malicious redirection/Defacement.
## Impact Assessment
- Financial: Potential financial loss for affected downstream organizations relying on the library, and damage to the reputation of the Polyfill project.
- Data Breach: No specific PII data breach confirmed, but user traffic/session data could have been exposed during redirection.
- Operational: Disruption of services for any user loading the compromised script, potentially causing application breakage or security incidents for client websites.
- Reputational: Significant damage to trust in the open-source/CDN supply chain ecosystem.
## Indicators of Compromise
- Network Indicators: Malicious redirects originating from `polyfill.js` requests to gambling domains (defanged: `hXXps://gambling[.]url`).
- File Indicators: Malicious code insertion into `polyfill.js` (specific hashes unavailable in context).
- Behavioral Indicators: Unexpected redirection patterns observed during the loading of common front-end libraries.
## Response Actions
- Containment measures: Likely involved immediate rollback of the compromised `polyfill.js` file and isolation/revocation of the exposed CloudFlare API key.
- Eradication steps: Removing the malicious commit and ensuring control of the repository/domain reverted to trusted parties.
- Recovery actions: Not detailed, but would involve validation across all dependent CDNs.
## Lessons Learned
- Acquisitions of critical infrastructure (domains/repos) must undergo stringent security vetting, as they present a high-risk vector for supply chain attacks.
- Secrets management is critical; CloudFlare API keys should never be committed or stored in easily accessible configurations, especially if associated with infrastructure that handles sensitive traffic routing.
## Recommendations
- Implement mandatory multi-factor authentication (MFA) and strict access control policies for all code repositories and infrastructure management dashboards (e.g., CloudFlare).
- Conduct source code and dependency audits frequently, focusing on file modifications in heavily used libraries, even after an apparent ownership change.
- Immediately rotate and secure all keys associated with cloud infrastructure providers (CloudFlare, AWS, etc.) upon confirmation of any suspicious administrative actions or key exposure.