Worth grepping your source code for "polyfill.io" and taking urgent measures to remove that code if you're linking it into your site - the domain name apparently now intermittently serves malicious JavaScript
My notes here: https://simonwillison.net/2024/Jun/25/polyfill-supply-chain-attack/ - or read this article https://sansec.io/research/polyfill-supply-chain-attack
@simon Hopefully everyone has at least been adopting the `integrity` attribute, right? Right?
@command_tab that sadly doesn't work for polyfill.js because the whole idea there was to serve different JavaScript based on the user-agent header, so browsers that support features don't get sent polyfills
@simon Well, shoot. That is kind of a situation then