This is part of a regular series of posts in which we’ll highlight useful, interesting, and otherwise cool queries for use with Censys Search and ASM. If you have any questions, similar queries, or custom versions of this week’s highlight, let us know!

This week I’m sharing something somewhat topical: queries you can use to detect issues related to the Polyfilll.]io supply chain attack. Our research team published a bunch of info about this attack here. While the attack appears to have been mostly mitigated thanks to the suspension of the malicious domain, it’s worth digging a bit into potentially-related compromised domains to remain vigilant--and ensure that any lingering references to the original Polyfill domain or its potential relatives are removed from your codebase.

Censys Search query for exposed hosts referencing the malicious polyfillp.]io domain:

services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`}

Censys Search query for exposed hosts referencing one of the additional potentially associated domains:

services.http.response.body: {`cdn.bootcdn.net`,  `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`}

Censys ASM query for exposed hosts referencing the malicious polyfill .]io domain:

host.services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`} or web_entity.instances.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`}

Censys ASM query for exposed hosts referencing one of the additional potentially associated domains:

host.services.http.response.body:{`cdn.bootcdn.net`,  `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`} or web_entity.instances.http.response.body:{`cdn.bootcdn.net`,  `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`}