Decipher File · February 2024 acquisition, June 2024 disclosure

Polyfill.io Supply Chain (June 2024): How One Acquired CDN Compromised 100K+ Websites

The Polyfill.io supply chain incident is the cybersecurity case study that proved JavaScript CDN domain ownership is a tier-zero supply chain control. In February 2024, a Chinese company named Funnull acquired the polyfill.io domain from its original maintainer Andrew Betts. By June 2024, the CDN was serving malicious JavaScript that redirected mobile users to scam sites. Per Sansec's June 25, 2024 investigation, more than 100,000 websites referenced the compromised CDN, including JSTOR, Intuit, and the World Economic Forum. Cloudflare auto-rewrote requests to a safe mirror and Google blocked Google Ads for affected sites.

By·Published May 18, 2026·Last verified May 2026

MITRE ATT&CK techniques

T1195.002 Supply Chain Compromise: Compromise Software Supply Chain T1189 Drive-by Compromise T1659 Content Injection

Incident summary

Polyfill.io was a JavaScript service that automatically delivered browser-specific polyfills (compatibility shims) so that developers could write modern JavaScript that still worked on older browsers. The service was created by Andrew Betts in 2013 and was widely adopted in the 2010s as a defensive control against browser fragmentation. At its peak, more than one million websites referenced cdn.polyfill.io in their HTML source. The service was donated to the Financial Times and later spun out to the Fastly CDN.

In February 2024, the polyfill.io domain and associated GitHub repository were sold by their then-owners to a Chinese company named Funnull. Per Andrew Betts' February 25, 2024 public statement, Betts had no involvement in the sale and explicitly advised that sites should not use the polyfill.io service after the ownership change. Despite that warning, more than 100,000 websites continued to reference the CDN, in many cases because the script tag had been added years earlier and was no longer actively maintained.

Per Sansec's June 25, 2024 investigation, by mid-June 2024 the Funnull-controlled polyfill.io CDN was conditionally serving malicious JavaScript to mobile users. The malicious payload redirected the user to a sports-betting site at kuurza.com and to related scam destinations. Cloudflare and Google responded the same day: Cloudflare auto-rewrote requests for cdn.polyfill.io to its own mirror on cdnjs, and Google blocked Google Ads from advertiser landing pages that included the polyfill.io script tag. Namecheap suspended the polyfill.io domain on June 27, 2024.

Attack technique

MITRE ATT&CK maps the operation primarily to T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain), with T1189 (Drive-by Compromise) covering the end-user exploitation step and T1659 (Content Injection) covering the in-transit injection of malicious JavaScript into otherwise-legitimate websites. The technique chain is structurally simple: acquire an actively-used JavaScript CDN domain through a legitimate purchase, change the served content to include malicious code, conditionally activate the payload to evade detection.

The conditional activation is the operationally interesting detail. Per Sansec, the malicious payload was served only to specific mobile user agents (iOS Safari and Android Chrome) and only in specific geographies. The conditional logic ran in the served JavaScript itself and inspected the user agent string and other browser-environment signals before activating. Desktop-based scanning by Sansec and others did not see the malicious behavior on initial reproduction. Sansec identified the pattern only after testing from mobile devices in specific markets.

The domain-ownership-change vector is structurally novel in scale. Prior supply chain attacks against JavaScript ecosystems typically involved compromise of npm packages or developer accounts. The Polyfill.io case demonstrated that a legitimate purchase of a CDN domain, with no compromise involved, can repurpose a tier-zero JavaScript dependency for malicious use against tens of thousands of downstream sites. Funnull was not a threat actor in the conventional sense. Funnull was a legitimately-registered business entity that bought a domain through a normal commercial transaction. The change-in-control was the attack.

Cloudflare's auto-replacement response was the operationally significant defense move. Per Cloudflare's June 25, 2024 blog post, Cloudflare detected polyfill.io references in HTML served through its CDN and automatically rewrote those references to point at cdnjs.cloudflare.com's clean mirror. The rewrite was opt-out, not opt-in. Cloudflare treated the change as a security defense rather than a content modification. The decision was controversial because it represented Cloudflare modifying customer content without explicit per-customer consent, but it was widely accepted given the severity and customer education gap.

Impact and consequences

Per Sansec's June 25, 2024 investigation, more than 100,000 websites referenced the compromised polyfill.io CDN at the time of disclosure. Sansec listed notable affected sites including JSTOR, Intuit, the World Economic Forum, the Hulu marketing site, and Mercedes-Benz country sites. Many of those references were legacy script tags added in the 2010s and not actively maintained, which is why warnings from Andrew Betts in February 2024 did not produce remediation in the four-month window before the compromise was activated.

End-user impact was meaningful but contained by the conditional activation. The malicious payload activated only on specific mobile user agents in specific geographies, so the population that actually received the redirect was smaller than the 100,000 affected site count would suggest. End-users on iOS Safari and Android Chrome in targeted markets were redirected to kuurza.com or related scam sites. Desktop users on the same sites typically saw no malicious behavior. The narrow targeting was a deliberate detection-evasion choice, not a reflection of the campaign's reach.

Cloudflare and Google's response substantially capped downstream damage. Cloudflare's auto-replacement covered websites served through Cloudflare. Google's Google Ads policy block on advertiser landing pages including the polyfill.io script tag pushed paid-traffic site operators to remediate within hours. Namecheap's domain suspension on June 27, 2024 cut the CDN off completely. The combined response window was less than 72 hours from Sansec's disclosure to functional containment of the active CDN. The structural exposure (100,000 sites with legacy script tags) remained for months afterward.

The broader industry consequence was renewed attention to JavaScript supply chain controls. Subresource Integrity (SRI) usage in production HTML rose noticeably in the months following the incident based on HTTP Archive data. Multiple major CDNs added explicit ownership-change notification commitments. The W3C resumed work on content-versioning standards for CDN-delivered third-party JavaScript. The npm ecosystem accelerated package provenance and supply chain attestation efforts that had been in progress under the OpenSSF banner.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

› Script tag references to cdn.polyfill.io in HTML source after February 2024
› Conditional malicious JavaScript served only to mobile user agents (iOS Safari, Android Chrome) and only for specific geographies, evading desktop-based scanning
› Redirect chain landing on sports-betting domain kuurza.com and related typosquat domains flagged by Sansec
› Funnull CDN serving polyfill.io content from AS54574, AS3854, and related ASN ranges after February 2024
› Cloudflare auto-rewritten request paths to cdnjs.cloudflare.com/polyfill mirror after June 25, 2024
› Google Ads policy block on advertiser landing pages including the polyfill.io script tag after June 25, 2024

Lessons for defenders

Subresource Integrity (SRI) is a structural control against this class of attack. SRI lets you specify a SHA-256 hash of the expected script content in the script tag itself. If the served content does not match the hash, the browser refuses to execute it. SRI usage was negligible on most of the affected polyfill.io sites. Where SRI was in place, the malicious payload would have been rejected by the browser on its first served byte. OWASP's third-party JavaScript management cheatsheet is the reference document.

Inventory third-party JavaScript and audit it on a recurring schedule. The polyfill.io references on most affected sites were legacy script tags added years earlier and forgotten. Third-party JavaScript inventory should sit alongside vendor and dependency inventory in your asset management. Schedule quarterly review of script tags in production HTML and explicit revalidation of the upstream relationship for each. Andrew Betts' February 2024 warning would have been actionable for any organization that ran such a review.

Monitor CDN domain ownership changes as a security event. The change-in-control of polyfill.io from Andrew Betts to Funnull in February 2024 was the moment defenders had to act. WHOIS monitoring, certificate transparency log monitoring, and DNS-record monitoring on third-party JavaScript hosts surface that signal. Multiple security vendors now offer this as a CDN supply chain monitoring product. Build or buy that capability for the JavaScript dependencies you cannot easily self-host.

Self-hosting third-party JavaScript is a legitimate defensive control. Pulling polyfill.io content into your own CDN, version-pinning it, and serving from your origin defeats the change-in-control vector entirely. The trade-off is you take on the operational burden of monitoring upstream changes and updating your pinned version. For tier-zero JavaScript dependencies on customer-facing pages, that trade-off is usually worth making. Cloudflare's cdnjs mirror, Fastly's polyfill mirror, and self-hosted bundles are the post-incident replacements that most organizations adopted.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

Related Decipher Files

Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →

Frequently asked questions

What happened with polyfill.io in 2024?

In February 2024, a Chinese company named Funnull acquired the polyfill.io domain and GitHub repository. Per Sansec's June 25, 2024 investigation, by mid-June 2024 the Funnull-controlled CDN was conditionally serving malicious JavaScript that redirected mobile users to scam sites including kuurza.com. More than 100,000 websites referenced the CDN at the time of disclosure, including JSTOR, Intuit, and the World Economic Forum. Cloudflare auto-rewrote requests to a clean mirror and Namecheap suspended the domain on June 27, 2024.

How did the polyfill.io attack work technically?

The malicious payload was JavaScript served conditionally from the Funnull-controlled CDN. The payload inspected the user agent and geographic signals in the browser before activating, so it served clean content to desktop scanners and malicious content to mobile users in targeted markets. The technique chain maps to MITRE T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain), T1659 (Content Injection), and T1189 (Drive-by Compromise) for the end-user exploitation step.

Who acquired polyfill.io and was it a legitimate purchase?

Per Andrew Betts' February 25, 2024 public statement, the polyfill.io domain and associated GitHub repository were sold to a Chinese company named Funnull. The transaction itself was a legitimate commercial purchase. Betts had no involvement in the sale and explicitly warned that sites should stop using polyfill.io after the ownership change. The attack was not a compromise of polyfill.io in the conventional sense. It was a legitimate purchase followed by malicious content delivery.

How did Cloudflare and Google respond to the polyfill.io compromise?

Per Cloudflare's June 25, 2024 blog post, Cloudflare detected polyfill.io references in HTML served through its CDN and automatically rewrote those references to point at cdnjs.cloudflare.com's clean mirror. Google blocked Google Ads on advertiser landing pages that included the polyfill.io script tag. Namecheap suspended the polyfill.io domain on June 27, 2024. The combined response window from Sansec's disclosure to functional containment was less than 72 hours.

What is Subresource Integrity and would it have prevented the polyfill.io attack?

Subresource Integrity (SRI) is a browser feature that lets you specify a SHA-256 hash of the expected script content in the script tag. If the served content does not match the hash, the browser refuses to execute it. SRI would have defeated the polyfill.io attack at the browser level: the new malicious content would not match the previously-pinned hash, and the script would have failed to execute. SRI usage on the affected sites was negligible, which is why the attack reached users at all.

How should I audit third-party JavaScript on my website?

Inventory script tags in your production HTML on a recurring schedule (quarterly is the recommended cadence). For each third-party script, confirm the upstream domain ownership has not changed via WHOIS monitoring, pin the content version where possible, add Subresource Integrity (SRI) hashes to script tags, and consider self-hosting tier-zero JavaScript dependencies on your own CDN. OWASP's third-party JavaScript management cheatsheet is the canonical reference.

Sources

Sansec: Polyfill Supply Chain Attack Hits 100K+ Sites · Sansec's June 25, 2024 investigation with technique chain and victim count
Cloudflare: Automatically Replacing Polyfill.io Links with Cloudflare's Mirror · Cloudflare's June 25, 2024 disclosure of the auto-replacement mitigation and the domain ownership change context
Andrew Betts on the Polyfill.io Service Hand-Off · Original polyfill.io maintainer Andrew Betts' February 25, 2024 statement that the polyfill.io domain had been sold and warning against using it
Namecheap: Polyfill.io Domain Suspension · Namecheap's June 27, 2024 suspension of the polyfill.io domain following the disclosures
OWASP: Subresource Integrity (SRI) Cheat Sheet · OWASP guidance on third-party JavaScript and SRI as the structural defense against this class of compromise
Google Search Central: Detecting Compromised Polyfill.io · Google's June 2024 advisory on the compromised CDN and the Google Ads policy response

DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.

Last verified: 2026-05-18?Report an inaccuracy

This role lives inside a packaged path

Want the curriculum, comp delta, and recommended courses for this role?

DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:

Take the 2-min Risk Score →Open the cybersecurity path hub →

Where to go next

Three next steps depending on where you are. The first two are free.

Free · 2 minutes

Start with the AI Risk Score

Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.

Start the AI Risk Score →

Paid program · $147-$597

Aligned course: SOC Analyst Fundamentals

Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.

View the course →

Free account

Save your results and track progress

A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.

Create your account →

Get cybersecurity career insights delivered weekly

Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.

By subscribing you agree to our privacy policy. Unsubscribe anytime.