你的 ShokaX 和 Shoka 站点可能正在遭遇供应链攻击 #293
Closed
zkz098
announced in
Announcements
Replies: 2 comments 1 reply
-
|
目前polyfill官方仓库已被风险提示,且相关网站已挂 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
据安全机构警告,供应链攻击已进一步扩展,这是警告列表: |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
为确保长期安全,ShokaX将在0.4.8中强制引入SRI机制并阻止不含SRI链接加载,所以升级时请注意:
|
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
** #292 已修复相关问题,请立刻更新到 0.4.5 或更高版本 **
据相关安全机构及主流服务商报告,Polyfill 服务极大概率参与了供应链攻击并分发了恶意代码,如下是一些相关报告:
不幸的是,ShokaX 在 0.4.4 及以前版本中均使用了不可信的 polyfill 服务,因而大部分ShokaX站点正在遭受供应链攻击
我们建议立刻更新到 0.4.5 版本的 ShokaX 并替换先前部署版本,我们会在稍后废弃0.4.4及以前版本
另外,建议 Shoka 用户立刻更新到 ShokaX 以修复此问题,我们会提供相关支持以便迁移
如果可能,请您将相关内容转发给使用 polyfill io 且尚未修改的项目,感谢您的合作
** #292 Issues fixed, please update to version 0.4.5 or higher immediately **
According to reports from relevant security agencies and major service providers, the Polyfill service is highly likely to have been involved in a supply chain attack and distributed malicious code. Here are some related reports:
Unfortunately, ShokaX versions 0.4.4 and earlier have used the untrusted polyfill service, and most ShokaX sites are currently experiencing supply chain attacks. We strongly recommend updating to ShokaX version 0.4.5 immediately and replacing any previous deployments. We will deprecate versions 0.4.4 and earlier soon.
If possible, please forward this information to projects using polyfill.io that have not yet updated. Thank you for your cooperation.
Beta Was this translation helpful? Give feedback.
All reactions