Cybercrime Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea The 2024 incident was initially linked to China, but an infostealer infection has now revealed North Korean involvement. By Eduard Kovacs | March 12, 2026 (5:40 AM ET) Flipboard Reddit Whatsapp Whatsapp Email The Polyfill supply chain attack that hit more than 100,000 websites back in 2024 has now been linked to North Korean threat actors after it was initially tied only to China. In February 2024, the popular Polyfill.io service, used by websites to deliver JavaScript code for browser compatibility, was acquired by Chinese CDN company Funnull, which then began injecting malicious JavaScript into scripts served from cdn.polyfill.io. The malicious code, which targeted mobile users with evasion techniques and redirected them to betting or adult sites, was confirmed by security firms Sansec and C/side in June 2024. The attack affected more than 100,000 websites that embedded the library, prompting widespread recommendations to remove references to the Polyfill domain immediately due to the risk of malicious activity with an even greater impact. Cloudflare and Google also took action to protect users at the time. The involvement of Funnull led to the belief that this was a Chinese operation. However, evidence uncovered recently by Hudson Rock, a cybersecurity firm specializing in infostealer malware intelligence, indicates that Funnull was likely just a “corporate front” for an operation that also involved North Korean threat actors. Advertisement. Scroll to continue reading. Hudson Rock has been monitoring data stolen from computers infected with infostealers, including one device used by one or more North Korean hackers. The hacker had downloaded a fake software installer that delivered a LummaC2 malware sample, which collected credentials, browser logs, and other data from the compromised machine. According to Hudson Rock, the data collected by the malware enabled the security firm to “establish an ironclad chain of evidence linking the North Korean operator to the Chinese syndicate and the Polyfill control panels”. Hudson Rock said the evidence collected by the malware from the North Korean hacker’s device included credentials for the Funnull DNS management portal, credentials for the Polyfill Cloudflare tenant (proving that the weaponized domain was under the hacker’s control), and conversations regarding the malicious domain configuration changes made in the Polyfill attack. The security firm believes the goal of the Polyfill supply chain attack was to redirect users to gambling websites owned by the China-based company Suncity Group. This gambling ecosystem was “engineered to launder massive volumes of cryptocurrency back to the North Korean state”, the company said. North Korean hackers are believed to have stolen more than $2 billion worth of cryptocurrency in 2025. The data stolen by the infostealer malware from the same North Korean device also revealed details of a different operation in which a North Korean operative secured a job at the cryptocurrency exchange Gate. The fake worker exploited access to the company’s systems to obtain intelligence on procedures meant to prevent North Korean money laundering. Related : North Korean APT Targets Air-Gapped Systems in Recent Campaign Related : Ukrainian Gets 5 Years in US Prison for Aiding North Korean IT Fraud Related : North Korean Hackers Target macOS Developers via Malicious VS Code Projects Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Michelin Confirms Data Breach Linked to Oracle EBS Attack ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Moxa, Mitsubishi Electric Jazz Emerges From Stealth With $61M in Funding for AI-Powered DLP Kai Emerges From Stealth With $125M in Funding for AI Platform Bridging IT and OT Security Thousands Affected by Ericsson Data Breach OpenAI Rolls Out Codex Security Vulnerability Scanner Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign Cylake Raises $45 Million to Secure Organizations Barred From Cloud Latest News Senate Confirms Joshua Rudd to Lead NSA and US Cyber Command MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack Wiz Joins Google Cloud as Landmark Acquisition Closes CISO Conversations: Aimee Cardwell 238,000 Impacted by Bell Ambulance Data Breach Scanner Raises $22 Million for AI-Powered Threat Hunting OpenAI to Acquire AI Security Startup Promptfoo Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Netskope has appointed Joseph Welsh as leader of US public sector sales. New England energy company Eversource Energy has appointed Michael Tetto as CISO. Col. Becky Beers has been named Acting Air Force CISO following the departure of Aaron Bishop. More People On The Move Expert Insights How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email