{"id":908,"date":"2024-07-08T08:00:00","date_gmt":"2024-07-08T15:00:00","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=908"},"modified":"2025-04-14T09:33:56","modified_gmt":"2025-04-14T16:33:56","slug":"polyfill-io-and-software-supply-chain-security-a-cautionary-tale","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/","title":{"rendered":"Polyfill.io and Software Supply Chain Security: A Cautionary Tale"},"content":{"rendered":"\n<p>Over 100,000 websites using a popular JavaScript service (polyfill.io) are now victims of a web supply chain attack. A web supply chain attack is a cyberattack is a type of software supply chain attack that targets a third-party web software component to gain access to an organization&#8217;s systems or data. These attacks can be difficult to prevent because they can be hard to detect, take advantage of trust, and have long-lasting effects.&nbsp;<\/p>\n\n\n\n<p>The attack stemmed from the takeover of a distribution repository. This past February, the Chinese company Funnull took ownership of cdn.polyfill.io, a domain hosting the polyfill.js JavaScript library. Polyfill.js is a widely used library integrated into many well-known web applications and is used to support older browsers<\/p>\n\n\n\n<p>The attack is automatically deployed on websites that contain embedded scripts from cdn.polyfill.io, where it uses dynamically generated payloads to redirect users to malicious sites and can potentially steal data.&nbsp;<\/p>\n\n\n\n<p>ICANN-accredited registrar Namecheap took down the domain on June 27 due to&nbsp; multiple reports of malicious activity, eliminating the immediate risk. However, it is still recommended that any polyfill.io code references be removed.<\/p>\n\n\n\n<p>There are several write-ups of the malware itself, including this one from <a href=\"https:\/\/sansec.io\/research\/polyfill-supply-chain-attack\">Sansec<\/a>. This post will use the polyfill.io example to illustrate how to avoid this type of web supply chain security risk.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Software Supply Chain Security in a Nutshell<\/h2>\n\n\n\n<p>The analyst firm Gartner provides a succinct definition: \u201cSoftware supply chain security (SSCS) is the set of processes and tools used to curate, create and consume software in ways that mitigate attacks against software or its use as an attack vector. Curation focuses on assessing risks of third-party software and assessing its acceptability. Creation focuses on secure development and the protection of software artifacts and the development pipeline. Consumption validates integrity of software through verification, provenance and traceability.\u201d&nbsp;<\/p>\n\n\n\n<p>Put more simply, it\u2019s all the software you use and build into your software, plus how your developers write code and monitor the code after it\u2019s deployed. SolarWinds is probably the biggest known example of a software supply chain attack to date. Over 18,000 organizations were impacted, with some reports stating the attack cost those affected 11% of their revenue on average. Gartner estimates the cost of supply chain attacks will grow from $40 billion in 2023 to $138 billion in 2031. This is a big number that underlines the importance of supply chain security. As an example, the U.S. government has started asking its suppliers to include a software bill of materials (SBOM) from its suppliers.&nbsp;<\/p>\n\n\n\n<p>There are many aspects to creating a software supply chain security program.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scan third-party code using a source code analysis (SCA) tool.&nbsp;<\/li>\n\n\n\n<li>Enforce strong authentication on all internal software repositories to prevent unauthorized access.&nbsp;<\/li>\n\n\n\n<li>All code needs to be scanned by static application security testing (<a href=\"https:\/\/www.cycognito.com\/learn\/application-security\/application-security-testing.php\">SAST<\/a>) and <a href=\"\/learn\/application-security\/dynamic-application-security.php\">dynamic application security testing (DAST)<\/a> before deployment into production.\u00a0<\/li>\n\n\n\n<li>Scan running code for web supply chain attacks in production<\/li>\n<\/ul>\n\n\n\n<p>There\u2019s much more detail to what organizations need to do pre-deployment. The rest of this blog will focus on what happens to code that\u2019s already been deployed when web supply chain-delivered malware is identified.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Open Source Repository Takeovers<\/h2>\n\n\n\n<p>When an unknown or untrusted person or organization takes over a code repository or distribution site, the risks are obvious. Polyfill was an interesting case in that the repository wasn\u2019t attacked or compromised; it was sold, and the library was manipulated under new ownership.&nbsp;<\/p>\n\n\n\n<p>Open-source libraries are particularly vulnerable to these types of takeovers as the original authors move on or lose access to their work. <a href=\"https:\/\/www.synopsys.com\/blogs\/software-security\/open-source-trends-ossra-report.html\">A recent study by Synopsys<\/a> found ninety-six percent of total codebases contain open source components \u2013 illustrating the potential impact of this issue.<\/p>\n\n\n\n<p>Trusting open-source distributions involves a combination of due diligence, community engagement, and technical verification to ensure that the software is secure, reliable, and suitable for your needs. Common approaches include examining project maturity and popularity, reviewing the license and checking update frequency. You want a well-maintained, well used distribution that has the minimum functionality required.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How CyCognito Detects Polyfill.io<\/h2>\n\n\n\n<p>CyCognito identifies technologies (including third-party components like polyfill.io) used on websites and web applications. These are represented in the platform as common platform enumeration (<a href=\"https:\/\/csrc.nist.gov\/projects\/security-content-automation-protocol\/specifications\/cpe\">CPE<\/a>) services. Here\u2019s how you do it.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step 1: Search for an Instance of polyfill.js library&nbsp;<\/h4>\n\n\n\n<p>CyCognito users can search their external attack surface for web applications that utilize polyfill using our advanced search feature. Organizations looking for polyfill.io instances simply run the filter \u201cservice contains \u2018polyfill.js\u2019 as shown in Figure 1 below. CyCognito\u2019s AI search feature can also be used, letting users enter the request in spoken English like \u201cshow me which web apps use polyfill.js.\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"113\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1280x113.webp\" alt=\"\" class=\"wp-image-913\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1280x113.webp 1280w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-512x45.webp 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-768x68.webp 768w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed.webp 1505w\" sizes=\"auto, (max-width: 1280px) 100vw, 1280px\" \/><\/figure>\n\n\n\n<p class=\"caption\">Figure 1. An Advanced Search filter that finds instances of polyfill.js<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step 2: Review Details on Polyfill.js Usage<\/h4>\n\n\n\n<p>Once web application assets that include polyfill.js are found, CyCognito users can review details, including ownership, location, and whether additional risk is present, as shown in Figure 2. Assets are shown by default in order of severity, i.e., security grade.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"880\" height=\"368\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1.webp\" alt=\"\" class=\"wp-image-912\" srcset=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1.webp 880w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1-512x214.webp 512w, https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1-768x321.webp 768w\" sizes=\"auto, (max-width: 880px) 100vw, 880px\" \/><\/figure>\n\n\n\n<p class=\"caption\">Figure 2. Details on all assets that contain polyfill.js are displayed<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step 3: Create Tickets for Web Application Remediation Teams<\/h4>\n\n\n\n<p>Users can then send a list of identified assets through integration to a SIEM or ticketing systems.&nbsp; CyCognito includes remediation steps in the ticket as shown in Figure 3.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"443\" height=\"404\" src=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-2.webp\" alt=\"\" class=\"wp-image-911\"\/><\/figure>\n\n\n\n<p class=\"caption\">Figure 3. An example remediation ticket created in Splunk shows details and remediation steps.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Step 4: Validate Assets&nbsp;<\/h4>\n\n\n\n<p>Once the ticket is closed, an API call will be sent to the CyCognito platform where a validation step is taken to ensure the asset no longer contains polyfill.io code.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Reach out to See how CyCognito Helps Your Respond to Your Software Supply Chain Security Issues<\/strong><\/h2>\n\n\n\n<p>Software supply chain security issues are becoming more prevalent. Organizations need to actively track web application objects in use to gauge potential risk and respond efficiently.&nbsp; Web applications are particularly vulnerable because they rely on many components that can be compromised, including third-party libraries and open source software. CyCognito helps mitigate these risks by allowing visibility into what third party pre-built code exists in your attack surface.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/www.cycognito.com\/demo\/\">Schedule a demo<\/a> to find out how CyCognito can help you detect polyfill.io across your attack surface.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog post discusses a recent software supply chain attack that targeted the popular JavaScript service, Polyfill.io. The attack highlights the importance of software supply chain security and provides how CyCognito can help identify third-party libraries to mitigate exposed vulnerabilities. <\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[172,171,170,169],"class_list":["post-908","post","type-post","status-publish","format-standard","hentry","category-product","tag-javascript-libraries","tag-open-source-library","tag-polyfill","tag-supply-chain-risk"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Polyfill.io and Software Supply Chain Security: A Cautionary Tale | CyCognito Blog<\/title>\n<meta name=\"description\" content=\"This blog post discusses a recent software supply chain attack that targeted the popular JavaScript service, Polyfill.io. The attack highlights the importance of software supply chain security and provides how CyCognito can help identify third-party libraries to mitigate exposed vulnerabilities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Polyfill.io and Software Supply Chain Security \u2013 A Cautionary Tale\" \/>\n<meta property=\"og:description\" content=\"This blog post discusses a recent software supply chain attack that targeted the popular JavaScript service, Polyfill.io. The attack highlights the importance of software supply chain security and provides how CyCognito can help identify third-party libraries to mitigate exposed vulnerabilities.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/\" \/>\n<meta property=\"og:site_name\" content=\"CyCognito Blog\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-08T15:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-14T16:33:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/banner-blog-2024-07-08-2400x1256-email.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2400\" \/>\n\t<meta property=\"og:image:height\" content=\"1256\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Ansh Patnaik\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ansh Patnaik\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/\"},\"author\":{\"name\":\"Ansh Patnaik\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/379a84aa58b78194234d928f77d52325\"},\"headline\":\"Polyfill.io and Software Supply Chain Security: A Cautionary Tale\",\"datePublished\":\"2024-07-08T15:00:00+00:00\",\"dateModified\":\"2025-04-14T16:33:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/\"},\"wordCount\":1065,\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1280x113.webp\",\"keywords\":[\"Javascript Libraries\",\"Open Source Library\",\"Polyfill\",\"Supply Chain Risk\"],\"articleSection\":[\"Product\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/\",\"name\":\"Polyfill.io and Software Supply Chain Security: A Cautionary Tale | CyCognito Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1280x113.webp\",\"datePublished\":\"2024-07-08T15:00:00+00:00\",\"dateModified\":\"2025-04-14T16:33:56+00:00\",\"description\":\"This blog post discusses a recent software supply chain attack that targeted the popular JavaScript service, Polyfill.io. The attack highlights the importance of software supply chain security and provides how CyCognito can help identify third-party libraries to mitigate exposed vulnerabilities.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#primaryimage\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed.webp\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed.webp\",\"width\":1505,\"height\":133},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cycognito.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Polyfill.io and Software Supply Chain Security: A Cautionary Tale\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#website\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"name\":\"Cycognito Blog\",\"description\":\"Research, Product News and Latest Updates\",\"publisher\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#organization\",\"name\":\"Cycognito\",\"url\":\"https:\/\/www.cycognito.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"contentUrl\":\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png\",\"width\":1720,\"height\":550,\"caption\":\"Cycognito\"},\"image\":{\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/379a84aa58b78194234d928f77d52325\",\"name\":\"Ansh Patnaik\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e6db82b71e1c2318ea2aeb16e13995ae?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e6db82b71e1c2318ea2aeb16e13995ae?s=96&d=mm&r=g\",\"caption\":\"Ansh Patnaik\"},\"description\":\"Chief Product Officer\",\"url\":\"https:\/\/www.cycognito.com\/blog\/author\/ansh-patnaik\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Polyfill.io and Software Supply Chain Security: A Cautionary Tale | CyCognito Blog","description":"This blog post discusses a recent software supply chain attack that targeted the popular JavaScript service, Polyfill.io. The attack highlights the importance of software supply chain security and provides how CyCognito can help identify third-party libraries to mitigate exposed vulnerabilities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/","og_locale":"en_US","og_type":"article","og_title":"Polyfill.io and Software Supply Chain Security \u2013 A Cautionary Tale","og_description":"This blog post discusses a recent software supply chain attack that targeted the popular JavaScript service, Polyfill.io. The attack highlights the importance of software supply chain security and provides how CyCognito can help identify third-party libraries to mitigate exposed vulnerabilities.","og_url":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/","og_site_name":"CyCognito Blog","article_published_time":"2024-07-08T15:00:00+00:00","article_modified_time":"2025-04-14T16:33:56+00:00","og_image":[{"width":2400,"height":1256,"url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/banner-blog-2024-07-08-2400x1256-email.png","type":"image\/png"}],"author":"Ansh Patnaik","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ansh Patnaik","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#article","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/"},"author":{"name":"Ansh Patnaik","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/379a84aa58b78194234d928f77d52325"},"headline":"Polyfill.io and Software Supply Chain Security: A Cautionary Tale","datePublished":"2024-07-08T15:00:00+00:00","dateModified":"2025-04-14T16:33:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/"},"wordCount":1065,"publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1280x113.webp","keywords":["Javascript Libraries","Open Source Library","Polyfill","Supply Chain Risk"],"articleSection":["Product"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/","url":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/","name":"Polyfill.io and Software Supply Chain Security: A Cautionary Tale | CyCognito Blog","isPartOf":{"@id":"https:\/\/www.cycognito.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#primaryimage"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed-1280x113.webp","datePublished":"2024-07-08T15:00:00+00:00","dateModified":"2025-04-14T16:33:56+00:00","description":"This blog post discusses a recent software supply chain attack that targeted the popular JavaScript service, Polyfill.io. The attack highlights the importance of software supply chain security and provides how CyCognito can help identify third-party libraries to mitigate exposed vulnerabilities.","breadcrumb":{"@id":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#primaryimage","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed.webp","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/unnamed.webp","width":1505,"height":133},{"@type":"BreadcrumbList","@id":"https:\/\/www.cycognito.com\/blog\/polyfill-io-and-software-supply-chain-security-a-cautionary-tale\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cycognito.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Polyfill.io and Software Supply Chain Security: A Cautionary Tale"}]},{"@type":"WebSite","@id":"https:\/\/www.cycognito.com\/blog\/#website","url":"https:\/\/www.cycognito.com\/blog\/","name":"Cycognito Blog","description":"Research, Product News and Latest Updates","publisher":{"@id":"https:\/\/www.cycognito.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cycognito.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.cycognito.com\/blog\/#organization","name":"Cycognito","url":"https:\/\/www.cycognito.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","contentUrl":"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/logo-1720x550-1.png","width":1720,"height":550,"caption":"Cycognito"},"image":{"@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/379a84aa58b78194234d928f77d52325","name":"Ansh Patnaik","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.cycognito.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e6db82b71e1c2318ea2aeb16e13995ae?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e6db82b71e1c2318ea2aeb16e13995ae?s=96&d=mm&r=g","caption":"Ansh Patnaik"},"description":"Chief Product Officer","url":"https:\/\/www.cycognito.com\/blog\/author\/ansh-patnaik\/"}]}},"_links":{"self":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/comments?post=908"}],"version-history":[{"count":7,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/908\/revisions"}],"predecessor-version":[{"id":1458,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/posts\/908\/revisions\/1458"}],"wp:attachment":[{"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/media?parent=908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/categories?post=908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cycognito.com\/blog\/wp-json\/wp\/v2\/tags?post=908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}