Remove from your website

The JavaScript CDN service has started spreading malicious code. Remove the service’s script from your website.

Why you need to remove the script from your website

If your website uses the script from, we recommend removing it ASAP: the service is sending malicious code to your visitors. This article explains what is for, why it’s become dangerous to use, and what you should do about it if you do use it.

What polyfills and are

A polyfill is a piece of code that implements features otherwise unsupported by certain browser versions. This is typically JavaScript code that adds support for HTML5, CSS3, JavaScript API and other standards and technologies that spare web developers the headache of supporting exotic or outdated browsers. Polyfills saw their heyday in the 2010s as HTML5 and CSS3 gradually took over the Web. is a service that helps automatically deliver polyfills that a browser requires for displaying a particular website.

The service gained popularity both for its efficiency (only the polyfills you need are loaded) and for its regular updates to the technologies and standards used. Straightforward implementation was a factor as well: all the developer needed to start using was to add a short string to the website code in order to enable the service’s script. was originally created by the Financial Times web development team. In February 2024, the service, along with the associated domain and GitHub account, was sold to the Chinese CDN provider Funnull. It wasn’t six months before trouble began.

Malicious code from

On June 25, 2024, researchers at Sansec discovered that had begun to deliver malicious code to users of websites that used The code used a typosquatted domain pretending to be Google Analytics — [code][/code] — to redirect users to a Vietnamese sports betting site.

The sports betting site that redirected users to

The malicious code redirected the users of compromised sites to a sports betting site written in Vietnamese

According to the researchers, this wasn’t the first time that had been caught spreading malicious code. Those who had noticed the dangerous behavior earlier tried complaining (archived link) in GitHub comments, but the new owners of quickly removed all the criticisms (here’s another example from the Internet Archive).

The potentially harmful script is allegedly present on more than 100,000 websites — some of them rather big ones.

Google Ads: one more reason to remove

In case visitors getting a malicious script doesn’t sound too worrying, Google Ads is giving website operators a further valid reason to hurry up and get the problem fixed.

Google’s advertising service has suspended the display of ads linking to websites that spread malicious scripts from several services. Besides, the list includes, and

 A Google Ads warning about malicious activity on a website

A Google Ads suspension warning due to the website using a malicious script downloaded from,, or Source

You’d be wise to stop using the aforementioned services on your website, or else you risk losing traffic due to users being led away by the malicious scripts and because of Google Ads no longer promoting you.

Protecting against the attack

Here are a few steps to take about the attack:

  • Remove the script from your website as soon as you can — along with ones from, and
  • Consider dropping polyfills altogether. The developer, which recommends doing just that, says that polyfills are no longer relevant.
he developer advises removing

The developer recommends removing and dropping polyfills altogether as these are no longer relevant. Source

  • If you can’t follow that advice for some reason, use the alternatives by Cloudflare or Fastly.
  • All in all, try cutting down on the number of external scripts your website uses. Each of those is a potential vulnerability.
Inside the workings of fraud-as-a-service

Turnkey phishing

A turnkey home? A turnkey website? How about turnkey phishing? Scammers now sell turnkey phishing services to other scammers. Read on to find out how it works.

Inside the workings of fraud-as-a-service