Craig Pepper
July 1, 2024
4 Min Read

Threat Report 01.07.24

Polyfill supply chain attack leaves 100,000 websites vulnerable

Over 100,000 websites using the Polyfill.io service have been hijacked in a supply chain attack after a Chinese company acquired the domain, altering the polyfill.js JavaScript library to redirect website visitors to malicious websites. The Polyfill library provides support for modern functions in web browsers, but the original CDN domain will now inject malware that redirects users to sports betting and pornographic sites.

Websites using the library are urged to uninstall it as soon as possible to prevent propagating the attack. The original creator of the project has stated that modern websites do not require any of the polyfills in the library, and that most features added to the library are quickly added to modern browsers regardless. Both CloudFlare and Fastly have reuploaded the library to offer an alternative endpoint if websites wish to continue its use in the meantime.

Android malware abuses security feature to bypass anti-tampering protections

A piece of malware tracked as Snowblind has been observed bypassing anti-tampering protections to steal user data, done with the goal of retrieving the victim’s credentials.

The malware accomplishes this by using ‘seccomp’, used by Android to protect users from malicious actions by performing integrity checks on applications. With this method, Snowblind can bypass multi-factor authentication and biometric authentication.

As the attack is not well known, the majority of apps will likely not protect against it. This is expected to change as released reports from security researchers will raise more awareness about it. The researchers have stated that they have currently found no apps available on Google Play that feature this malware, and that Android users are automatically protected from currently known versions of the malware by Google Play Protect.

Supply chain attack backdoors WordPress plugins

The source code of at least five WordPress plugins has been modified by a threat actor, leaving over 35,000 websites vulnerable. The threat actor has modified the source code of these plugins to include a malicious PHP file that will create new admin accounts on affected websites.

The following plugins and versions are noted to be affected:

  • Social Warfare versions 4.4.6.4 to 4.4.7.1
  • Blaze Widget versions 2.2.5 to 2.5.2
  • Wrapper Link Element versions 1.0.2 to 1.0.3
  • Contact Form 7 Multi-Step Addon versions 1.0.4 to 1.0.5
  • Simply Show Hooks versions 1.2.1 to 1.2.2

There is, however, a potential for more plugins to have been affected that have not been discovered yet.

With the discovery of the breach, most affected plugins have been patched and more should be expected in the following days. We recommend updating any WordPress plugins as soon as possible to mitigate the possibility of a breach.

Read similar blogs