In this episode of the Intrusions InDepth Podcast, host Josh Stepp dives into the 2024 Polyfill.io incident, a wake-up call for the web development community that exposed the vulnerabilities of the internet’s sprawling infrastructure. What began as a trusted open-source service, used by over 100,000 websites to ensure cross-browser compatibility, turned into a vehicle for widespread malware distribution after its domain and GitHub repository were sold to a Chinese company, Funnull. Josh explores the timeline of the attack, the mechanics of the malicious JavaScript payloads, and the broader implications for open-source software and internet trust. With a mix of technical analysis, commentary on open-source economics, and a touch of conspiracy-adjacent speculation, this episode unpacks how a seemingly innocuous service became a vector for a global cyberattack and what it means for the future of the web.
Main Topics Discussed
Polyfill.io Attack Overview
Timeline of Events
Malware Mechanics
Open-Source Vulnerabilities
Implications and Solutions
Call to Action:
Subscribe to the podcast for more episodes on high-profile cyber intrusions.
Visit our website at intrusionsindepth.com for additional stories and insights.
Share your thoughts on social media using #IntrusionsInDepth.
Links and Resources:
https://blog.qualys.com/vulnerabilities-threat-research/2024/06/28/polyfill-io-supply-chain-attack
https://cside.dev/blog/the-polyfill-attack-explained
https://therecord.media/polyfill-cloudflare-trade-barbs-supply-chain-attack
https://news.ycombinator.com/item?id=40792136
https://news.ycombinator.com/item?id=40804254
https://risky.biz/RB755/
https://web.archive.org/web/20230505112634/https://polyfill.io/v3/ownership-transfer
https://web.archive.org/web/20230601214142/https://jakechampion.name/
https://web.archive.org/web/20231011015804/https://polyfill.io/
https://web.archive.org/web/20231101040617/https://polyfill.io/
https://github.com/polyfillpolyfill/polyfill-service/commit/5f4fc040e09436371f70ffcebe47ca0e3cdccac0
https://github.com/polyfillpolyfill/polyfill-service/commit/aa261a834b36131e8dbd20d725c6b5d773f736d9
https://github.com/polyfillpolyfill/polyfill-service/issues/2892
https://sansec.io/research/polyfill-supply-chain-attack
https://www.theregister.com/2025/05/06/from_russia_with_doubt_go/
https://huntedlabs.com/the-russian-open-source-project-that-we-cant-live-without/
https://x.com/weirddalle/status/1922396432977346973
https://www.berkshirehathaway.com/
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk/
https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/
Host: Josh Stepp
Produced by: Josh Stepp
Thank you for tuning in to IntrusionsinDepth. Stay informed, stay safe, and see you in the next episode!
Share this post