After having its website shut down, the polyfill.io owner is fighting back against claims it smuggled suspicious code onto websites all across the internet.

In a series of angry Xeets over the past three days, what's likely the mysterious CDN operator that owns the Polyfill service accused CDN titan Cloudflare, the media, and others of "malicious defamation" and "slander." 

"We have no supply chain risks," the org claimed in one of several posts.

The angry missives follow multiple warnings from experts in the computer security industry - and even the creator of the open source Polyfill service project - telling anyone with a website using any JavaScript code from the polyfill.io domain to immediately remove it.

Following all that criticism, domain registrar Namecheap shut down polyfill.io. The site has since relaunched as polyfill[.]com, billed as a "free CDN for open source projects."

Back in February, CDN operator Funnull bought the .io domain and its associated GitHub account. Sometime after that, polyfill.io was caught sneaking naughty code onto sites in a supply-chain attack, according to e-commerce security outfit Sansec. More than 100,000 websites were at the start of the week carrying the site's scripts, the Sansec forensic team said.

We should note Funnull claims to be based in Slovenia while also "made in the USA," its various office addresses around the world on its website don't exist, and its WhatsApp and WeChat contact number is in the Philippines. The site's underlying language and Telegram profile is in Mandarin, leading many to suspect the business is a Chinese entity. The Polyfill Twitter account meanwhile says it's based in the UK.

Following the domain's sale in February, Cloudflare warned about it posing a supply-chain risk: Whoever controlled the .io could change the JavaScript code it offered to malicious scripts and infect a ton of sites all in one go. By Wednesday, Cloudflare said those worries had become a reality, and reported the Polyfill.io service was being used to inject malicious code into browsers.

Specifically, according to Cloudflare, "the polyfill.io service was being used to inject nefarious code that, under certain circumstances, redirected users to other websites." Sansec went into more detail in an earlier write-up, noting:

"This is a real threat to the internet at large given the popularity of this library," Cloudflare CEO and co-founder Matthew Prince noted in an advisory on Wednesday along with CTO John Graham-Cumming and senior director Michael Tremante. 

The cloud giant also spun up an automatic JavaScript URL rewriting service to make it easier for any Cloudflare-proxied websites to replace code from polyfill.io with that from Cloudflare's mirror.

"This will avoid breaking site functionality while mitigating the risk of a supply chain attack," the trio wrote. This feature has already activated on any website with a free plan, and paid-plans can turn it on with one click.

On Thursday, again via X/Twitter, whoever is behind the Polyfill service responded, describing Cloudflare's actions as "deplorable."

"Moving forward, I will be fully dedicated to developing a global CDN product that surpasses Cloudflare, showcasing the true power of capital," they added. The site owner claimed to have $50 million in funding, and added "the product design has been finalized." ®

https://www.theregister.com//2024/06/28/polyfillio_cloudflare_malware/