Critical Supply Chain Attack: Compromised, Over 100,000 Websites at Risk

Written by Kris Black on June 28, 2024

The Attack Explained

In a shocking revelation, over 100,000 websites have fallen victim to a devastating supply chain attack through, a widely-used service for delivering JavaScript polyfills. The attack, which emerged following the acquisition of by a Chinese entity, has injected malicious scripts into websites, redirecting users to harmful sites and exposing sensitive information.

How the Attack Unfolded

  1. Ownership Change: The service was sold to a Chinese company, raising concerns over control and security.
  2. Malicious Injection: The new management began injecting malicious JavaScript into the polyfills served, affecting any website that included the script.
  3. Redirection to Malicious Sites: The injected scripts primarily targeted mobile users, redirecting them to sites designed to steal personal information or deliver malware.

Industry Response

The response from the web development community and major infrastructure providers has been swift. Cloudflare and Namecheap have recommended immediate action to mitigate the risks:

  • Remove References: Website owners are urged to remove any references to scripts from their codebase.
  • Explore Alternatives: Developers should consider alternative solutions for delivering polyfills, such as module/nomodule patterns or Babel's useBuiltIns feature.
  • Enhanced Security Measures: Strengthen website security protocols to prevent similar supply chain attacks in the future.

Moving Forward: Protecting Your Website

This attack highlights the critical importance of scrutinizing third-party dependencies. Here are steps you can take to secure your site:

  • Audit Third-Party Libraries: Regularly audit and update third-party libraries to ensure they are secure and maintained.
  • Implement CSP (Content Security Policy): A robust CSP can help prevent the execution of unauthorized scripts.
  • Monitor Network Traffic: Keep an eye on unusual network traffic patterns that might indicate malicious activity.


The supply chain attack serves as a stark reminder of the vulnerabilities inherent in relying on third-party services. By staying vigilant and proactive, website owners can protect their sites and users from similar threats in the future.


  • Sansec's detailed research on the attack can be found here.
  • Special thanks to Theo from for breaking this news. Check out his YouTube channel here.
  • List of sites affected: Click here