mdlbear: blue fractal bear with text "since 2002" (Default)
mdlbear ([personal profile] mdlbear) wrote2024-06-26 01:00 pm
  • Add Memory
  • Share This Entry
  • Current Mood: informative
  • Current Location: A rapidly deteriorating situation
Entry tags:

Public Service Announcement: Stop Using polyfill dot io

If you happen to be developing websites using the polyfill.io javascript library, drop everything and DELETE IT NOW! The domain was purchased by what's said to be a Chinese malware organization, which is using the library to redirect users to sport betting websites. More at

@ solarbird | if you use polyfill dot io, stop RIGHT NOW and read this @ Renaud Chaput: "polyfill.io malware injection" - Oisaur @ Remove Polyfill.io code from your website immediately • The Register @Polyfill.io JavaScript supply chain attack impacts over 100K sites

... and a tip of the hat to solarbird, who put me on to this.

If you develop websites using a framework or javascript library but you're not sure what a polyfill is, search your codebase for the string "polyfill.io". Then look it up and either eliminate it as a dependency, or find a different place to fetch it from.

This, BTW, is one more reason to like Chris Ferdinandi's's Daily Developer Tips | Go Make Things.

Flat | Top-Level Comments Only
lilysea: Serious (Default)

[personal profile] lilysea 2024-06-26 09:07 pm (UTC)(link)
is .io a problem?

eg the bookmarking service

https://app.raindrop.io
mdlbear: blue fractal bear with text "since 2002" (Default)

Is .io a problem?

[personal profile] mdlbear 2024-06-26 10:15 pm (UTC)(link)

Not at all. That's a top-level country-code domain just like .au and .uk. In fact it belongs to British Indian Ocean Territory, but it gets used a lot by tech companies.

It's the fully-qualified domain name polyfill.io that's a problem.

solarbird: (Default)

[personal profile] solarbird 2024-06-26 11:44 pm (UTC)(link)
It's been a real bad last week or so for admins.

See also.
Flat | Top-Level Comments Only