In a similar vein, Heinz once used a temporary domain for a promotion accessible by scanning a QR code on their bottles. The promotion ran its course, and they let the domain name expire.
Problem is these bottles were available on restaurant tables for much longer. Didn’t take long before scanning the Heinz QR code at your table got you some pornography.
Ketchup themed porn?
People complain about the web build tool chain, bundlers, rollups etc.
And it has been and probably still is pretty stupid.
But at least you can pin and deploy all your dependencies before deploying.This highlights why pulling in scripts at runtime from sources you don’t control is a worse idea
This is not a supply chain attack, it is sudden extreme enshitification. according to the article, the attacker also bought the GitHub repo, so all releases should be considered tainted. The community will have to find a fork from before the acquisition and hope that there are no pre-purchase favors smuggled in.
This is not a supply chain attack, it is sudden extreme enshitification. according to the article, the attacker also bought the GitHub repo
I don’t see how buying the GitHub repo as well makes it not a supply chain attack but enshitification.
They bought into the supply chain. It’s a supply chain attack.
I thought Polyfill was a Google thing. I remember when they implemented it on YouTube and the Firefox performance was dire.
The polyfill.io domain is being used to infect more than 100,000 websites with malware after a Chinese organization bought the domain earlier this year.
Another post: Polyfill supply chain attack hits 100K+ sites
So, one would add
* polyfill.io * blockTo their My Filters pane in ublock origin?
This setting appears to work for me. It shows up as blocked in the logs. I’ve also blocked it in NoScript for good measure.
Damn I had this on my noscript allowlist
