Hacker News new | ask | show | jobs
by EKSolutions 622 days ago
It looks like someone has compromised one of their subdomains for Polyfill

Update: Subdomain seems to be returning normal responses again now.
2 comments
Aachen 622 days ago
You mean the IA included some JS polyfill from a subdomain and that's what's compromised / where the alert is coming from?
link
mendym 622 days ago
Yup.

https://news.ycombinator.com/item?id=41792651

link
qnsc 622 days ago
yes, "https://polyfill.archive.org/v3/polyfill.min.js?features=fet..." is the URL with the malicious code
link
Shadow1337 622 days ago
It looks like it is running the service that was part of the supply chain attacker earlier this year. https://github.com/polyfillpolyfill/polyfill-service/issues/...
link
jsheard 622 days ago
The service was fine, it was the "official" hosted instance of the service which was compromised. IA appears to be running their own instance.
link
abracadaniel 622 days ago
That was a DNS hack of polyfill.io though right? This looks like it was/is self hosted.
link
__jonas 622 days ago
Yeah I'm getting this exact response from the above URL now:

https://sourcegraph.com/github.com/polyfillpolyfill/polyfill...

Seems like they self hosted that service

link
EKSolutions 622 days ago
Correct. The source subdomain of the popup seems to be hxxps[:]//polyfill[.]archive[.]org
link
jrochkind1 622 days ago
That would perhaps explain how they managed to inject the JS alert popup, right?
link
TZubiri 622 days ago
Yeah, but the leak has been confirmed by HIBP, I found my address in there.
link
jrochkind1 622 days ago
DOH. I hadn't heard this.
link