Back to Intelligence

Polyfill.io Supply Chain Compromise: Detecting Malicious CDN Injection and Credential Phishing

SA
Security Arsenal Team
June 6, 2026
5 min read

Security teams at major global brands, including Toshiba and Muji, are currently issuing urgent warnings to customers regarding suspicious sign-in prompts appearing on their official websites. These alerts stem from a confirmed active exploitation of the Polyfill.io supply chain.

The domain, previously a trusted repository for JavaScript polyfills, began serving malicious payloads following a change in ownership. Attackers are leveraging this trust to inject credential-harvesting scripts into unsuspecting websites. For defenders, this is not merely a web developer issue; it is an active Adversary-in-the-Middle (AiTM) campaign utilizing a compromised CDN to harvest credentials from enterprise users visiting legitimate, yet infected, domains.

Technical Analysis

Threat Vector: Supply Chain Compromise via Malicious JavaScript CDN Affected Component: External JavaScript references to polyfill.io and related domains (e.g., bootcdn.net). Impact: Credential Theft (AiTM), Malvertising, Mobile Redirection.

Attack Chain

  1. Ingestion: A victim visits a legitimate website (e.g., a vendor portal or e-commerce site) that includes a reference to the polyfill.io CDN in its HTML source code.
  2. Execution: The victim's browser requests the script from the attacker-controlled server. The server analyzes the request (User-Agent, IP geolocation).
  3. Payload Delivery:
    • For Enterprise/Mobile Traffic: The server returns malicious JavaScript designed to simulate legitimate login overlays (e.g., "Sign in to continue" prompts).
    • For Desktop/Bot Traffic: It may serve adware or perform silent redirections.
  4. Credential Harvesting: The injected script presents a fake login modal. When the user enters credentials, the data is exfiltrated to the attacker's infrastructure before the user is redirected to the legitimate site, often hiding the compromise.

Exploitation Status

  • Status: Confirmed Active Exploitation. Organizations are actively reporting credential phishing artifacts tied to this domain.
  • Vulnerability Class: CWE-829: Inclusion of Functionality from Untrusted Control Sphere (Supply Chain).

Detection & Response

Defenders must immediately hunt for traffic destined for the compromised infrastructure. Blocking the domains is a temporary mitigation; identifying and remediating the internal web assets calling these domains is the permanent fix.

Sigma Rules

YAML
---
title: Polyfill.io Malicious CDN Domain Request
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects DNS or Network connections to the compromised Polyfill.io domain or its known malicious mirrors, often used to deliver credential harvesting scripts.
references:
  - https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.initial_access
  - attack.t1190
  - attack.supply_chain
logsource:
  category: dns_query
  product: windows
detection:
  selection:
    QueryName|contains:
      - 'polyfill.io'
      - 'bootcdn.net'
  condition: selection
falsepositives:
  - Legacy web applications utilizing these libraries (currently high risk)
level: high
---
title: Polyfill.js Script Download via Proxy
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects web proxy traffic downloading JavaScript from the compromised Polyfill.io domain.
references:
  - https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/
author: Security Arsenal
date: 2026/05/12
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: proxy
  product: any
detection:
  selection:
    cs-host|contains:
      - 'polyfill.io'
    c-uri|endswith:
      - '.js'
  condition: selection
falsepositives:
  - Legacy web applications
level: high

KQL (Microsoft Sentinel)

This query hunts for endpoints or proxies communicating with the malicious domains.

KQL — Microsoft Sentinel / Defender
// Hunt for Polyfill.io related network traffic
DeviceNetworkEvents
| where RemoteUrl in ("polyfill.io", "www.polyfill.io", "bootcdn.net")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, LocalPort
| summarize count() by DeviceName, RemoteUrl, bin(Timestamp, 1h)
| order by count_ desc

Velociraptor VQL

Hunt for DNS cache entries or recent connections to the compromised domains on endpoints.

VQL — Velociraptor
-- Hunt for Polyfill.io indicators in DNS cache and recent connections
SELECT 
    Fqdn, 
    Timestamp, 
    Type
FROM dns_cache()
WHERE Fqdn =~ 'polyfill.io' 
   OR Fqdn =~ 'bootcdn.net'

UNION ALL

SELECT 
    RemoteAddress, 
    RemotePort, 
    StartTime
FROM listen_connections()
WHERE RemoteAddress =~ 'polyfill' 
   OR RemoteAddress =~ 'bootcdn'

Remediation Script (PowerShell)

Use this script to audit internal web servers for references to the compromised Polyfill.io domain. Run this on your web content servers or source code repositories.

PowerShell
# Audit Web Content for Polyfill.io References
# Run as Administrator on Web Servers or against source directories

$AuditPath = "C:\inetpub\wwwroot" # Adjust to your web root or source code directory
$Pattern = "polyfill\.io"
$Results = @()

Write-Host "[+] Starting audit for compromised Polyfill.io references in: $AuditPath"

if (Test-Path $AuditPath) {
    $Files = Get-ChildItem -Path $AuditPath -Recurse -Include *.html, *.js, *.aspx, *.php, *.jsp
    
    foreach ($File in $Files) {
        $Content = Get-Content -Path $File.FullName -Raw -ErrorAction SilentlyContinue
        if ($Content -match $Pattern) {
            $Results += [PSCustomObject]@{
                File = $File.FullName
                Status = "VULNERABLE - Compromised CDN Reference Found"
            }
            Write-Host "[!] Found reference in: $($File.FullName)" -ForegroundColor Red
        }
    }

    if ($Results.Count -eq 0) {
        Write-Host "[+] No compromised references found." -ForegroundColor Green
    } else {
        Write-Host "[!] Audit Complete. Vulnerable files found: $($Results.Count)" -ForegroundColor Yellow
        $Results | Export-Csv -Path "C:\Temp\PolyfillAudit.csv" -NoTypeInformation
    }
} else {
    Write-Host "[-] Path not found: $AuditPath" -ForegroundColor Red
}

Remediation

Immediate action is required to prevent credential loss and comply with supply chain security standards.

  1. Identify and Replace: Audit all public-facing web applications. Replace any references to https://polyfill.io or https://bootcdn.net with trusted, secured alternatives such as:

    • Cloudflare: https://cdnjs.cloudflare.com/ajax/libs/polyfill/...
    • Fastly: https://polyfill-fastly.io (Note: Verify specific version availability)
    • Best Practice: Bundle the necessary polyfills locally within your build process to eliminate external dependencies.

  2. Network Blocking: Update firewall, proxy, and DNS filter policies to block requests to:

    • polyfill.io
    • bootcdn.net
    • Any associated IP ranges identified in threat intelligence feeds.

  3. User Awareness: Notify users that if they encountered suspicious login prompts on your site recently, they should rotate their passwords and enable MIM protection (e.g., FIDO2 keys).

  4. Source Code Integrity: Scan source code repositories (Git) for historical commits containing these URLs to ensure no re-introduction occurs during rollbacks.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchpolyfillsupply-chainweb-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action