supply chain attack via Polyfill library
Original repository Polyfill on GitHub and the domain polyfill.io were sold in late February to a little-known company called Funnull. Even then, spoke out There were concerns about the safety of further use of the library when downloaded from this URL, and alternative sources (in addition to the self-hosted option) were suggested. The fears became reality last week: code was added to the library that causes redirection to other websites via the URLs listed in the screenshot above. Among the affected websites are the JSTOR library, the Intuit website, the British newspaper Metro, and many others.
This incident can be classified as a typical supply chain attack: the provider of a technical solution for compatibility with older browsers at some point began malicious activity. It can be used to assess the consequences of such an attack for affected web developers. In particular, Google promptly sent victims a letter with a recommendation to remove links to polyfill.io and proactively disabled advertising. For clients of the Cloudflare service there was included automatic redirect from a malicious URL to a library fork that Cloudflare itself maintains. On June 27, the polyfill.io domain was disabled by the registrar Namecheap.
New owners of polyfill.io released a rather vague rebuttal, claiming that “there is no risk of a supply chain attack.” After this, the library hosting was transferred to another domain three times, since newly created addresses were also blocked by the registrar. In addition to Cloudflare, the original Polyfill library is also distributed by the service Fast. It was later discoveredthat the new operator polyfill.io also controls the BootCDN, Bootcss and Staticfile services, which could also be compromised.
What else happened?
Kaspersky Lab experts continue to investigate the code of the XZ Utils backdoor, another high-profile attempt to introduce malicious functionality into popular open source software. In the new publications — a detailed analysis of the backdoor functionality itself, which allows logging into a vulnerable server with an arbitrary key or password. Another publication by Kaspersky Lab explores common cyber threats to small businesses.
Edition 404 Media writes about a serious mistake by the developers of the hardware AI assistant Rabbit R1. The assistant code contains fixed keys for access to various services, which allows attackers, for example, to obtain the communication history of all users with the device. The keys were revoked in such a way that it led to temporary inoperability of Rabbit devices.
Airpods headphones were detected and closed vulnerabilitywhich allowed connecting to a device without authorization if a potential attacker knew the MAC address.
The infrastructure of the TeamViewer remote access service has been compromised.
New critical vulnerability discovered in the enterprise file sharing solution MOVEit. The issue in the SFTP module has a CVSS rating of 9.1 and allows you to bypass the authorization system.
In the latest update to the Chrome browser closed four serious use-after-free vulnerabilities that theoretically allow the execution of arbitrary code.
Another supply chain attack discovered in a number of WordPress plugins. Malicious code was added to official updates for Social Warfare, Wrapper Link Elementor, and other plugins.
