Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea

The Polyfill.io library has long been a staple for developers seeking cross‑browser compatibility, delivering small JavaScript snippets that run on millions of pages. When the service was sold to Funnull, a Chinese CDN, the supply chain suddenly became a vector for malicious code injection. In June 2024, security researchers observed that the altered scripts served from cdn.polyfill.io were loading additional payloads that targeted mobile browsers, silently redirecting traffic to gambling and adult sites. This incident underscored how a single compromised third‑party component can expose a vast portion of the web to abuse.

Initial investigations blamed the Chinese syndicate behind Funnull, but Hudson Rock’s recent forensic work has built a concrete link to North Korean actors. By harvesting credentials from an infected device—including access to Funnull’s DNS management console and the Polyfill Cloudflare tenant—the firm traced command‑and‑control communications back to a North Korean operator. The ultimate objective appears financial: the malicious redirects funneled users into the Suncity Group’s betting platform, a conduit for laundering billions of cryptocurrency that the regime reportedly stole in 2025. The operation illustrates a sophisticated blend of supply‑chain compromise and state‑sponsored money‑laundering.

For enterprises and web‑hosting providers, the fallout demands a reassessment of third‑party risk. Continuous monitoring of script integrity, adoption of Subresource Integrity (SRI) tags, and diversification of trusted CDNs are becoming best practices. Policymakers are also eyeing tighter regulations around software provenance to deter nation‑state exploitation of open‑source ecosystems. As the line between criminal cyber‑crime and geopolitical espionage blurs, organizations must treat supply‑chain security as a core component of their cyber‑resilience strategy.