From cyberplace.social/@GossiTheDog…
All credit to @GossiTheDog
Without CDN/Archived: web.archive.org/web/sansec.io/…
Polyfill[.]io is now serving malware.
This is why you should not rely embed third party scripts on your website.
Only load JavaScript from domains you own - and preferably, only load JavaScript you/your organization wrote.
Third party JavaScript is and will always be a threat to privacy and security.
Polyfill supply chain attack hits 100K+ sites
The new Chinese owner of the popular Polyfill JS project injects malware into more than 100 thousand sites.Sansec