Polyfill.io in https://developer.blender.org/docs/ - Potential malware issue [RESOLVED: polyfill.io dependencies removed]

Rodge · July 14, 2024, 9:22pm

Seems my browser guard only blocks it in https://developer.blender.org/docs/ pages. Just wanted to warn anyone that uses the docs.

There has been a polyfill.io supply chain attack reported on June 25, 2024. A lot of eyes are on this attack and people are removing dependencies that use polyfill.

I recommend reading the article from Censys - July 2: Polyfill.io Supply Chain Attack – Digging into the Web of Compromised Domains

First direct block from the article:

On June 25, 2024, the Sansec forensics team published a report revealing a supply chain attack targeting the widely-used Polyfill.io JavaScript library. The attack originated in February 2024 when Funnull, a Chinese company, acquired the previously legitimate Polyfill.io domain and GitHub account. Shortly thereafter, the service began redirecting users to malicious sites and deploying sophisticated malware with advanced evasion techniques.

I removed links to non-blender websites in-case of an automatic topic removal. Easy enough to do a web-search about it.

Rodge · July 14, 2024, 9:28pm

Just to note, I was using firefox when I got this popup.

mont29 · July 15, 2024, 10:25am

Thanks for the heads up, the topic has been brought to our IT/website team

bartvdbraak · July 15, 2024, 11:01am

The polyfill.io dependency has been replaced with a safe mirror supplied by Cloudflare.

Download

What's New

Blender Studio

Manual

Developers Blog

Documentation

Benchmark

Blender Conference

Development Fund

One-time Donations

Polyfill.io in https://developer.blender.org/docs/ - Potential malware issue [RESOLVED: polyfill.io dependencies removed]