In June 2024, security researchers at Sansec discovered that cdn.polyfill.io — a widely used JavaScript polyfill service loaded by approximately 380,000 websites — had been modified to serve malicious code. Polyfill.io was a service providing JavaScript ‘polyfills’ that allow older browsers to support modern web features. The original maintainer sold the domain and GitHub repository to a company called Funnull CDN, associated with China, in February 2024. The new owners modified the polyfill.js script to inject malicious code that dynamically redirected mobile users to a fake sports betting site (a scam) and other malicious destinations, while avoiding detection by only activating on specific mobile browsers, avoiding users from security companies and high-traffic sites (Google Analytics detected users), and including anti-debugging code. High-profile websites affected included Hulu, JSTOR, Intuit, World Economic Forum, Mercedes-Benz, and hundreds of thousands of others. Cloudflare and Fastly immediately set up clean mirrors of the polyfill library. Google blocked ads for websites using the malicious polyfill CDN. The original Polyfill.io creator (Andrew Betts) had previously warned users not to use the service after he sold it and said it was unnecessary for modern browsers. Namecheap subsequently suspended the polyfill.io domain. The incident led to widespread calls to avoid loading third-party JavaScript from external CDNs and to self-host critical dependencies.