Open-Source Library Used to Distribute Malware

Cloudflare, a large company that provides content delivery network services and cloud cybersecurity, has instructed its customers to remove Polyfill, a widely-used open-source library because it is being used to distribute malware.

Jonathan Greig, reporting in The Record, writes that more than 100,000 websites used Polyfill to bridge compatibility gaps between modern code and older browsers.

Researchers have determined that the Chinese company Funnull bought the polyfill.io domain and took control of its GitHub account. Cloudflare CEO Matthew Prince warned that “tens of millions of websites (4% of the web) use polyfill.io.”

The article quotes Sarah Jones, a cyber threat intelligence research analyst at Critical Start, who says that polyfill’s adoption across various industries — including e-commerce, finance, media and entertainment, and healthcare — “provides a vast network of websites for malicious actors to exploit.”

“This is a real threat to the Internet at large given the popularity of this library,” Cloudflare said. It called claims made on the polyfill.io website that Cloudflare recommended the service false, and said polyfill has ignored requests to remove their name from the website and remove the false statements.

Jones added that the incident highlights the inherent vulnerability of relying on the security practices of third-party open-source library maintainers.

Earlier, two incidents had exposed weaknesses in managing open-source software. In April 2024, security researchers stopped a takeover attempt of the OpenJS tool. In March, experts found malicious code embedded in a popular Linux tool, XZ Utils. In the XZ Utils situation, bad actors exploited an overworked maintainer and gained access to the project.