008.1: POLYFILL - podcast episode cover

008.1: POLYFILL

IntrusionsInDepth Podcast
May 27, 202538 min
--:--
--:--
Listen in podcast apps:
Apple Podcasts
Spotify
Download
YouTube
Overcast
Pocket Casts
Episodes.fm
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

In this episode of the Intrusions InDepth Podcast, host Josh Stepp dives into the 2024 Polyfill.io incident, a wake-up call for the web development community that exposed the vulnerabilities of the internet’s sprawling infrastructure. What began as a trusted open-source service, used by over 100,000 websites to ensure cross-browser compatibility, turned into a vehicle for widespread malware distribution after its domain and GitHub repository were sold to a Chinese company, Funnull. Josh explores the timeline of the attack, the mechanics of the malicious JavaScript payloads, and the broader implications for open-source software and internet trust. With a mix of technical analysis, commentary on open-source economics, and a touch of conspiracy-adjacent speculation, this episode unpacks how a seemingly innocuous service became a vector for a global cyberattack and what it means for the future of the web.

Main Topics Discussed

* Polyfill.io Attack Overview

* Timeline of Events

* Malware Mechanics

* Open-Source Vulnerabilities

* Implications and Solutions

Call to Action:

* Subscribe to the podcast for more episodes on high-profile cyber intrusions.

* Visit our website at intrusionsindepth.com for additional stories and insights.

* Share your thoughts on social media using #IntrusionsInDepth.

Links and Resources:

* https://blog.qualys.com/vulnerabilities-threat-research/2024/06/28/polyfill-io-supply-chain-attack

* https://cside.dev/blog/the-polyfill-attack-explained

* https://therecord.media/polyfill-cloudflare-trade-barbs-supply-chain-attack

* https://news.ycombinator.com/item?id=40792136

* https://news.ycombinator.com/item?id=40804254

* https://risky.biz/RB755/

* https://web.archive.org/web/20230505112634/https://polyfill.io/v3/ownership-transfer

* https://web.archive.org/web/20230601214142/https://jakechampion.name/

* https://web.archive.org/web/20231011015804/https://polyfill.io/

* https://web.archive.org/web/20231101040617/https://polyfill.io/

* https://github.com/polyfillpolyfill/polyfill-service/commit/5f4fc040e09436371f70ffcebe47ca0e3cdccac0

* https://github.com/polyfillpolyfill/polyfill-service/commit/aa261a834b36131e8dbd20d725c6b5d773f736d9

* https://github.com/polyfillpolyfill/polyfill-service/issues/2892

* https://sansec.io/research/polyfill-supply-chain-attack

* https://www.theregister.com/2025/05/06/from_russia_with_doubt_go/

* https://huntedlabs.com/the-russian-open-source-project-that-we-cant-live-without/

* https://x.com/weirddalle/status/1922396432977346973

* https://www.berkshirehathaway.com/

* https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk/

* https://blog.cloudflare.com/automatically-replacing-polyfill-io-links-with-cloudflares-mirror-for-a-safer-internet/

* Host: Josh Stepp

* Produced by: Josh Stepp

Thank you for tuning in to IntrusionsinDepth. Stay informed, stay safe, and see you in the next episode!



Get full access to IntrusionsInDepth at www.intrusionsindepth.com/subscribe
For the best experience, listen in Metacast app for iOS or Android