@rysiek this is one that terrifies me for almost a decade now. So far haven't seen it, but this is why we are moving to compiled node apps in containers with SBOMs and absolutely no external CDNs
@tanepiper honestly I am surprised that I was so far not able to find a specific example of this happening.
I do vaguely remember some cryptocurrency websites being targeted that way, but I think the vector was not CDNs but malicious npm dependencies on build time. 🤔
Many years ago we persuaded MySpace to let us inject code from a script we owned they put on their pages - if there was a way to still do that, I could imagine it working but browsers are pretty good these days at protecting against this - the only other way is to maybe background some serviced worker?
Add comment