John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
North Korea Behind Polyfill.io?
Software supply chain attacks used to happen to other people. Big targets, sophisticated adversaries, incidents that got named after rivers. Two stories this week make clear how thoroughly that picture has changed.
The Polyfill.io Connection
Hudson Rock forensic researchers linked the Polyfill.io supply chain attack to a North Korean operative. If you missed it: Polyfill.io was a widely used JavaScript compatibility shim included by millions of websites. In mid-2025, someone with access to the domain started serving malicious JavaScript to visitors of every site that loaded the library. Over 100,000 websites affected.
Users visiting those sites weren’t downloading anything or clicking anything suspicious. They were just browsing the web. The payload appears to have included credential harvesting and crypto theft, consistent with how DPRK threat actors have operated for years.
Attribution caveat: this is forensic analysis tracing through a LummaC2 infostealer infection, not a government determination. Treat it as researcher-attributed.
But the mechanism isn’t in question. An entire supply of websites got poisoned because they all trusted a shared JavaScript dependency without auditing it.
The DPRK angle adds something specific. Nation-states don’t usually bother with criminal-scale fraud. North Korea is the exception. They fund programs through cyber theft, and poisoning a high-reach JavaScript shim serving 100,000+ sites is exactly their kind of operation.
simple-git: CVSS 9.8
CVE-2026-28292 landed with a CVSS 9.8. Remote code execution in simple-git, a Node.js library for working with Git repos. Gets downloaded millions of times per week. Embedded in dev tools, CI/CD pipelines, and applications as a transitive dependency developers may not even know about.
The vulnerability exploits a case-sensitivity bypass that circumvents input validation. Attackers who can get user-controlled input into a simple-git operation can trigger code execution.
Same Structural Problem
What connects these is the trust model. Developers add libraries and web teams include CDN-hosted scripts without thinking of it as a trust decision. The library works, it’s widely used, done. That unexamined trust is the attack surface.
Polyfill’s attacker didn’t need to breach any individual website. They just needed the distribution point. simple-git’s flaw doesn’t require attacking a specific app. Any app that passes user-controlled data to it is exposed.
For web teams: audit third-party CDN-hosted JavaScript. If you’re loading external scripts from URLs you don’t control, you’ve delegated trust to whoever controls that domain. For developers: check your dependency tree for simple-git and update it. The time when open-source dependencies could be treated as background infrastructure, reliable and implicitly trusted, is over.