Opinion library. Silent temples to the civilizing power of knowledge, or launch pads for global destruction? Yep, another word technology has borrowed and degraded. Code libraries are important for adding just the right standards-tested functionality to a project. They're also a natural home for supply chain attacks that materialize malware at the heart of the enterprise, like Klingon shock troops arriving by transporter beam.
Supply Chain Security Best Practices in Response to Polyfill.io Attack
Last week saw a beauty. Polyfill.io, which serves over 100,000 websites with JavaScript enhancements for older browsers, was suddenly accused of poisoning its functions with malware, thereby attacking all of those websites' users. It wasn't even considered the standard supply chain hack, where the bad guys end up with an unsuspecting middleware trader and plant the pathogens. The alleged chain was that polyfill.io had been bought earlier this year and the new owners were themselves responsible. The call has ended to stop using polyfill.io immediately, with content delivery network Cloudflare redirecting calls to the site to sanitized proxies.
Polyfill.io's initial reaction was to accuse the media and Cloudflare of defamation. Perhaps a better position to take would have been to plead not guilty, say that you are taking the situation seriously and that you are working closely with Cloudflare to quickly understand the matter. Angry accusations of media conspiracy may be very 2020s, but they put you in dubious company. However, the very concept of owner-to-supplier supply chain attacks is a special case that deserves inspection, one that will need its own rules to control. It's just that right now these rules are hard to discern.
It's nothing new for companies to buy an established software product and then fill it with rogues, as the accusation against Polyfill.io reads. In the days when closed-source shareware from centralized repositories was the PC geek's go-to playground—no, Steve Jobs didn't invent the app store—familiar favorites could go bad overnight. Nullsoft's WinAmp MP3 player app was sold to AOL and quickly began installing the AOL desktop software by default. A popular product with intimate access to user systems will always be a tempting target, and middleware features prominently on the list. While the worst excesses of turn-of-the-century PC app repositories have been largely, but not entirely, tempered by the modern app store, no such curated protection exists for the enterprise.
