Sign up to save your podcasts
Or
Share 008.1: POLYFILL
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
008.1: POLYFILL
In this episode of the Intrusions InDepth Podcast, host Josh Stepp dives into the 2024 Polyfill.io incident, a wake-up call for the web development community that exposed the vulnerabilities of the internet’s sprawling infrastructure. What began as a trusted open-source service, used by over 100,000 websites to ensure cross-browser compatibility, turned into a vehicle for widespread malware distribution after its domain and GitHub repository were sold to a Chinese company, Funnull. Josh explores the timeline of the attack, the mechanics of the malicious JavaScript payloads, and the broader implications for open-source software and internet trust. With a mix of technical analysis, commentary on open-source economics, and a touch of conspiracy-adjacent speculation, this episode unpacks how a seemingly innocuous service became a vector for a global cyberattack and what it means for the future of the web.
Main Topics Discussed
* Polyfill.io Attack Overview
* Timeline of Events
* Malware Mechanics
* Open-Source Vulnerabilities
* Implications and Solutions
Call to Action:
* Subscribe to the podcast for more episodes on high-profile cyber intrusions.
* Visit our website at intrusionsindepth.com for additional stories and insights.
* Share your thoughts on social media using #IntrusionsInDepth.
Links and Resources:
* https://blog.qualys.com/vulnerabilities-threat-research/2024/06/28/polyfill-io-supply-chain-attack
* https://cside.dev/blog/the-polyfill-attack-explained
* https://therecord.media/polyfill-cloudflare-trade-barbs-supply-chain-attack
* https://news.ycombinator.com/item?id=40792136
* https://news.ycombinator.com/item?id=40804254
* https://risky.biz/RB755/
* https://web.archive.org/web/20230505112634/https://polyfill.io/v3/ownership-transfer
* https://web.archive.org/web/20230601214142/https://jakechampion.name/
* https://web.archive.org/web/20231011015804/https://polyfill.io/
* https://web.archive.org/web/20231101040617/https://polyfill.io/
* https://github.com/polyfillpolyfill/polyfill-service/commit/5f4fc040e09436371f70ffcebe47ca0e3cdccac0
* https://github.com/polyfillpolyfill/polyfill-service/commit/aa261a834b36131e8dbd20d725c6b5d773f736d9
* https://github.com/polyfillpolyfill/polyfill-service/issues/2892
* https://sansec.io/research/polyfill-supply-chain-attack
* https://www.theregister.com/2025/05/06/from_russia_with_doubt_go/
* https://huntedlabs.com/the-russian-open-source-project-that-we-cant-live-without/
* https://x.com/weirddalle/status/1922396432977346973
* https://www.berkshirehathaway.com/
* https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk/
* https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/
* Host: Josh Stepp
* Produced by: Josh Stepp
Thank you for tuning in to IntrusionsinDepth. Stay informed, stay safe, and see you in the next episode!
Get full access to IntrusionsInDepth at www.intrusionsindepth.com/subscribe
View all episodes
In this episode of the Intrusions InDepth Podcast, host Josh Stepp dives into the 2024 Polyfill.io incident, a wake-up call for the web development community that exposed the vulnerabilities of the internet’s sprawling infrastructure. What began as a trusted open-source service, used by over 100,000 websites to ensure cross-browser compatibility, turned into a vehicle for widespread malware distribution after its domain and GitHub repository were sold to a Chinese company, Funnull. Josh explores the timeline of the attack, the mechanics of the malicious JavaScript payloads, and the broader implications for open-source software and internet trust. With a mix of technical analysis, commentary on open-source economics, and a touch of conspiracy-adjacent speculation, this episode unpacks how a seemingly innocuous service became a vector for a global cyberattack and what it means for the future of the web.
Main Topics Discussed
* Polyfill.io Attack Overview
* Timeline of Events
* Malware Mechanics
* Open-Source Vulnerabilities
* Implications and Solutions
Call to Action:
* Subscribe to the podcast for more episodes on high-profile cyber intrusions.
* Visit our website at intrusionsindepth.com for additional stories and insights.
* Share your thoughts on social media using #IntrusionsInDepth.
Links and Resources:
* https://blog.qualys.com/vulnerabilities-threat-research/2024/06/28/polyfill-io-supply-chain-attack
* https://cside.dev/blog/the-polyfill-attack-explained
* https://therecord.media/polyfill-cloudflare-trade-barbs-supply-chain-attack
* https://news.ycombinator.com/item?id=40792136
* https://news.ycombinator.com/item?id=40804254
* https://risky.biz/RB755/
* https://web.archive.org/web/20230505112634/https://polyfill.io/v3/ownership-transfer
* https://web.archive.org/web/20230601214142/https://jakechampion.name/
* https://web.archive.org/web/20231011015804/https://polyfill.io/
* https://web.archive.org/web/20231101040617/https://polyfill.io/
* https://github.com/polyfillpolyfill/polyfill-service/commit/5f4fc040e09436371f70ffcebe47ca0e3cdccac0
* https://github.com/polyfillpolyfill/polyfill-service/commit/aa261a834b36131e8dbd20d725c6b5d773f736d9
* https://github.com/polyfillpolyfill/polyfill-service/issues/2892
* https://sansec.io/research/polyfill-supply-chain-attack
* https://www.theregister.com/2025/05/06/from_russia_with_doubt_go/
* https://huntedlabs.com/the-russian-open-source-project-that-we-cant-live-without/
* https://x.com/weirddalle/status/1922396432977346973
* https://www.berkshirehathaway.com/
* https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk/
* https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/
* Host: Josh Stepp
* Produced by: Josh Stepp
Thank you for tuning in to IntrusionsinDepth. Stay informed, stay safe, and see you in the next episode!
Get full access to IntrusionsInDepth at www.intrusionsindepth.com/subscribe