malicious javascript injected into 100,000 websites

201,380

10,632 0

Published 2024-06-28

A malicious CDN has been caught shipping javascript exploits on over 100,000 websites. This is truly one of the craziest attacks I've ever seen.

Issue: github.com/polyfillpolyfill/polyfill-service/issue…
Writeup: lyra.horse/blog/2024/05/exploiting-v8-at-openecsc/

🏫 COURSES 🏫 Learn to code in C at lowlevel.academy/
📰 NEWSLETTER 📰 Sign up for our newsletter at mailchi.mp/lowlevel/the-low-down

🛒 GREAT BOOKS FOR THE LOWEST LEVEL🛒
Blue Fox: Arm Assembly Internals and Reverse Engineering: amzn.to/4394t87
Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation : amzn.to/3C1z4sk
Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software : amzn.to/3C1daFy
The Ghidra Book: The Definitive Guide: amzn.to/3WC2Vkg

🔥🔥🔥 SOCIALS 🔥🔥🔥
Low Level Merch!: lowlevel.store/
Follow me on Twitter: twitter.com/LowLevelTweets
Follow me on Twitch: twitch.tv/lowlevellearning
Join me on Discord!: discord.gg/gZhRXDdBYY

All Comments (21)

@LowLevelLearning 21 days ago

javascript? NO THANKS. learn ASSEMBLY at lowlevel.academy/ (and get 20% off)
@kamkamkil1 21 days ago

btw mozzila uses spider monkey not v8
@daniels-mo9ol 21 days ago

Every project that uses NPM is basically a security problem too. Like setup a basic project and you already have a billion dependencies nobody knows what they do.
@user-uu5xf5xc2b 21 days ago

when the child says googie : 🥰 when the hacker says googie : 💀
@edhelatar 21 days ago

Web dev here. Although V8 hack is possible, I am almost certainly sure this code is actually intended to still user sessions, user input or any other security tokens etc. It's especially useful if you get admin session or credentials on things like wordpress, as from that you can hack the server and use it as a bot farm for DDOS or hoping that wp will give you access to other systems.
@MrVecheater 21 days ago

The web is the only place where it's generally accepted to run 100k lines of code* to render text Disclaimer: If you're reading this as a smart expert: I'm talking about application code. We have abstractions for a reason 🙂
@creysoft 21 days ago

The code is pretty easily de-obfuscated. All it does is attempt to redirect you to other (probably malicious) websites. It has a few interesting features, like its own custom base64 decoder, its own implementation of RC4, and some code to check if you have an admin cookie set (probably so it won't redirect the developer.) But it's definitely not some kind of memory exploit.
@saberint 21 days ago

Another reason why we don’t use 3rd party libraries or cdn’s. you can’t secure what you don’t control
@jonbikaku6133 21 days ago

Firefox uses gecko not V8, its their own engine and one of the main reasons we need it alive. V8 is however, really optimized at this point.
@zzco 21 days ago

Lol, nope. Firefox don't use V8. Being the inventor of JavaScript, they use the engine they developed during Netscape's heyday. Mozilla has maintained it ever since. That is specific to Chromium-based browsers.
@klausgrnbk6862 21 days ago

If you are including scripts from a CDN, you should always use the