Linkedin Tag

Blog

Industry News, Insights and Resources

The latest industry news, interviews, technologies, and resources.

Featured blog posts

New TTPs in Stealing PII and Financial Information from Magento Websites

At c/side, we actively monitor client-side supply chain attacks, with a focus on the evolving tactics, techniques, and procedures (TTPs) used by threat actors. One of the most common attacks we've observed over the past few months is the targeting of eCommerce websites built on the Magento framework. In particular, ...

The title of this article on a blue background

Why do websites need 3rd party scripts?

When developing a website, you’ll often include libraries to help speed up the development process, and avoid reinventing the wheel. However, there are times where you need to load a script from an external source. Due to recent attacks such as the Polyfill domain takeover , questions have been raised: ...

How web extensions can hurt your site (INFIRC[.]com and INFIRD[.]com)

The domain infirc[.]com and infird[.]com have caused quite the stir recently, and highlighted the dangers of infected or malicious web extensions. Infirc[.]com was first observed coming into our backend appearing as the referer header, even though it is not hosted or referenced by our site. Our public domains directory indexed ...

Read More

The Internet Archive Hack: How JavaScript fits in the picture

The Internet Archive, also known as The Wayback Machine, experienced a security breach yesterday. This was not the first time it had been targeted. A mocking JavaScript popup appeared, stating: Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a ...

Read More

The biggest Magecart attacks in history (so far)

Where the term “Magecart” comes from from Magecart attacks are a type of cyberattack where hackers inject malicious JavaScript code, often referred to as "skimming" scripts, into websites. This can be any type of website, but when talking Magecart, it’s almost exclusively e-commerce sites to try and capture credit card ...

Read More

New TTPs in Stealing PII and Financial Information from Magento Websites

At c/side, we actively monitor client-side supply chain attacks, with a focus on the evolving tactics, techniques, and procedures (TTPs) used by threat actors. One of the most common attacks we've observed over the past few months is the targeting of eCommerce websites built on the Magento framework. In particular, ...

Read More

Why do websites need 3rd party scripts?

When developing a website, you’ll often include libraries to help speed up the development process, and avoid reinventing the wheel. However, there are times where you need to load a script from an external source. Due to recent attacks such as the Polyfill domain takeover , questions have been raised: ...

Read More

c/side joins the PCI Security Standards Council as an Associate Participating Organization

We’re proud to announce that we’ve joined the Payment Card Industry Security Standards Council Security Standards Council (PCI SSC) as an Associate Participating Organization. The PCI SSC leads a global, cross-industry effort to enhance payment security by establishing flexible, industry-driven data security standards. Through collaboration with other industry leaders, the ...

Read More

Carlsberg a target in Magento “CosmicString” malware attack

The term “Magecart” refers to attacks on the Magento platform. Recently, another large campaign was found to target Magento sites again. Among these, Carlsberg was one of the compromised websites. The pattern of these attacks is almost always the same. A single line of JavaScript loads content from a remote ...

Read More

c/side joins the W3C

We’re incredibly proud to announce we have joined the W3C Web Application Security Working Group. The mission of the Web Application Security Working Group is to develop mechanisms and best practices to improve the security of web applications. Our whole team has been involved in cybersecurity for years. Through c/side, ...

Read More

Kuwait ecommerce site is being used to facilitate client-side skimming attacks

A popular e-commerce site in Kuwait, running an outdated version of Magento (2.4), has been compromised by a malicious JavaScript injection, exposing customer payment data. The vulnerability, likely linked to the CosmicString bug in Magento , has been patched, but sites not updated remain at risk. Unlike other impacted sites, ...

Read More

Threat feeds fail to detect attack for +2 years

c/side just detected a new client-side attack that’s been active for over 2 years. The domain guyacave[.]fr is serving a Personal Identifiable Information (PII) skimmer script on multiple websites since August of 2022. Check your website now, and remove the script with the domain immediately if found. During analysis of ...

Read More

Why do developers obfuscate JavaScript?

As a client-side security company protecting JavaScript, we see a lot of obfuscated scripts. When you use our tool, you can actually see the deobfuscated version of the scripts to see what it is doing. Deobfuscation has been around for a while, but why is code obfuscated in the first ...

Read More

Human Security vs c/side

This article takes an honest look at some of the features of Human Security vs c/side. Please note that you’re on the c/side website. While we have a natural bias, we present both tools in the same light. To complete your research, please visit the Human Security product pages. For ...

Read More

What is Client-Side Security?

Client-side security covers all operations occurring on a user's device, such as a browser on a computer or other device when interacting with a web application. Attacks targeting the client-side aim to manipulate the user’s interaction with that web application to steal data or inject malicious code. Why secure the ...

Read More

ButterCMS unreported downtime and security concerns

ButterCMS is a popular tool used to manage content for blogs. Earlier this week, we noticed a potentially severe security incident which triggered the team to remove ButterCMS from our site , and start an in depth investigation into what happened. Our aim is to share the findings of our ...

Read More

c/side raises a $6m seed round

We’re incredibly proud to announce our seed round of $6m, just six months after raising our pre-seed of $1.7m. Led by Uncork Capital as the lead, with participation from Mantis and PrimeSet . We also welcome back Scribble VC and Roar Ventures who supported us in the pre-seed. Together with ...

Read More

Cisco client-side Magecart JavaScript attack

Another day, another high-profile client-side JavaScript attack. This morning, we read that Cisco is the next victim of malicious code being loaded through a third-party script. The Cisco Merchant website operates on the Magento Enterprise framework, which is widely used by eCommerce websites. Magento offers a robust and scalable platform, ...

Read More

When 3rd party JavaScript attacks (JSParty Podcast)

Two weeks ago our own Simon Wijckmans featured on the JSParty podcast by Changelog to talk about the dangers of 3rd party JavaScript. A great opportunity for all to learn more about client-side security and how JavaScript fits into that picture. A massive thanks to Changelog, and Jerod and Nick ...

Read More

c/side picked for TechCrunch Disrupt Startup Battlefield 2024

We’re incredibly proud to announce that we were selected for TechCrunch Disrupt Startup Battlefield in 2024. This year’s Startup Battlefield participants span artificial intelligence (AI), software as a service (SaaS), fintech, security, sustainability, space exploration and more. Out of thousands of startups, just 200 make the cut, and we are ...

Read More

Feroot vs c/side

This article takes an honest look at the features of Feroot vs c/side. Please note that you’re on the c/side website. While we have a natural bias, we present both tools in the same light. To complete your research, please visit the Feroot product pages. The differences between Jscrambler Webpage ...

Read More

How to speed up JavaScript

Eliminate render-blocking resources , reduce unused JavaScript and minimize main thread work are usually found right on top of the PageSpeed Insights report. They talk about potential savings, but besides using the defer tag, there isn’t much info on how to do this. Though there are a few extra ways ...

Read More

What are digital skimmers?

Recently, we read of a new significant cyberattack campaign which targeted hundreds of online stores, exploiting vulnerabilities in third-party scripts and plugins. This is a perfect example of a ‘digital skimmer’. Digital skimmers are snippets of code maliciously injected into legitimate websites. They target personal and credit card information. This ...

Read More

Why browsers are becoming increasingly more dangerous

Technologies like WebAssembly (WASM), WebGPU, and IndexedDB have transformed what browsers can achieve. This evolution has expanded the functionality of browsers, massively evolving the use cases and experiences. However, this increased complexity also brings a significant cybersecurity concern: an enlarged attack surface. To understand where we are today, let’s take ...

Read More

The true cost of a cyber attack

Calculating the true cost of a cyber attack is difficult. None are the same, and companies respond differently. Yet it’s important to report on this in as much detail as possible to accurately represent the full picture of when this happens to your business. Suffering an attack usually comes with ...

Read More

Is Tuaw a scam in the making?

When we saw the new Fireship video yesterday, we were immediately reminded of the recent Polyfill attack. Our first article was picked up and referenced by most cybersecurity news outlets, and a week later we published our full post-mortem . When Fireship then reported on Tuaw, “The Unofficial Apple Weblog” ...

Read More

The Copay event-stream attack illustrates dependency risks

The JavaScript ecosystem experienced a significant shock with a sophisticated attack on Copay, a popular cryptocurrency wallet provider, in November 2018. Known as the event-stream attack , this incident highlighted the critical vulnerabilities associated with relying on third-party dependencies in software development. Understanding the attack Event-stream, a popular npm package, ...

Read More

The Segway cyber attack explained

In January 2022, the Segway web store suffered a web supply chain attack - also often referred to as a Magecart attack. In these types of attacks, malicious JavaScript code is added that loads from the client-side, known as third-party scripts. Many common tools are third-party scripts. Things like analytics, ...

Read More

Don't deploy scripts site-wide

Third-party scripts are often deployed site-wide, typically injected in the head tags in web frameworks like Next.js via the ’_document.js’ file. This widespread implementation, while convenient for developers and often recommended by onboarding guides, means these scripts run across the entire site. This is simpler to implement, but it also ...

Read More

What is an attack vector and what are hidden ones

An attack vector in cyber security is the way an attacker takes advantage of security weaknesses. Some are more obscure than others. One that’s been our focus, is third party JavaScript. Since these scripts are installed by the website owner yet executed in the visitors' browsers, they're in a unique ...

Read More

Web supply chain attack through trojanized jQuery on npm, GitHub and CDNs

Attacks have been found in trojanized jQuery on GitHub, npm and jsDelivr in a new web supply chain attack. Each package had a copy of jQuery with one small change: the ‘end’ function . This is part of the jQuery prototype, and was modified to include additional malicious code. In ...

Read More

How expired domains lead to cyber attacks

This is a multifaceted issue. Simply buying an expired domain isn't illegal. However, if a domain name is trademarked, then purchasing it (known as cybersquatting) could potentially breach copyright laws. But this of course will not defer attackers who usually remain anonymous and unnoticed.

Read More

The Polyfill attack explained

Recently over 490,000 websites were targeted in a web supply chain attack. We were amongst the first to report on this . NOTE: If a website is referencing the domains polyfill[.]io bootcss[.​]com bootcdn[.]​net or staticfile[.]​org today, they are still open to this attack. What was the Polyfill service project? Polyfill ...

Read More

What is the browser supply chain?

c/side is a cyber security product that lives in the browser supply chain space. We and other vendors operating here, like to talk about that supply chain . But what do we mean by it exactly? The browser supply chain is the different components and processes that come together to ...

Read More

More than 490k websites targeted in web supply chain attack

The cdn.polyfill.io domain is currently being used in a web supply chain attack. It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users.

Read More

Why you can trust c/side

Script security is our bread and butter. For lots of vendors, serving the script is just a part of their product. We put every care and attention to detail in how we proxy, store and process scripts. We work to cover the blind spots that others might have missed.

Read More

The BrowseAloud Supply-Chain Attack: A Case Study in Cryptojacking

In February 2018, over 4,000 websites, including high-profile government bodies like the UK's Information Commissioner’s Office (ICO), fell victim to the BrowseAloud attack . This was not just another cybersecurity breach; it was a potent reminder of the hidden dangers of third-party scripts in our increasingly interconnected digital ecosystems. notionvc: ...

Read More

Why CSPs Are Not Enough

Content Security Policies (CSPs), scoped and promoted by the W3C , offer a browser-side feature designed to enhance web security. If implemented correctly, with specific rules per page, they can provide substantial security benefits. However, in practice, they tend to be cumbersome to set up, frequently break during local development, ...

Read More

Ticketmaster Data Breach Déjà Vu: What You Need to Know

Yesterday on May 29, 2024, news broke of an alleged data breach involving Ticketmaster , a prominent ticket sales and distribution company. The breach, reportedly executed by ShinyHunters , is claimed to have exposed the personal information of over 500 million customers. This breach includes sensitive data such as emails, ...

Read More

Supply Chain Risk Doesn’t End At NPM

Supply Chain attacks are a top of mind problem today. The number of these attacks in the US increased by 115% between 2022 and 2023, according to Statista . Tools like Socket and Coana detect harmful code in registries like NPM. But the supply chain risk doesn’t end there. However, ...

Read More

Kaiser Permanente Data Leak: A Case of Miscommunication and Inadequate Disclosure

On April 29th, healthcare giant Kaiser Permanente disclosed a data leak impacting 13.4 million current and former insurance members . The incident was rooted in improperly managed 3rd party scripts. The Incident Kaiser Permanente used tracking codes to monitor how its members navigated through its website and mobile applications. Some ...

Read More

Introducing c/side free tier BETA

We’re excited to announce the launch of c/side. Monitoring, Securing and Optimizing 3rd Party Scripts . In today's digital landscape, third-party scripts are a key part of the supply chain. Yet it is often forgotten about and therefore presents a threat. Browser Supply Chain Risks are an age old and ...

Read More

Threat Feeds In The AI Era

Here’s what threat feeds are, and why it’s only a small cog in the cyber security machine in 2024. We also share the more complete solution to protect yourself from cyber attacks.

Read More

Imperva Client-side Protection vs c/side

Let’s take an honest look at the features of Imperva’s Client-side Protection product vs c/side.

Read More

Jscrambler Webpage Integrity vs c/side

Other than other competitors providing a form of browser-side security almost as an afterthought, Jscrambler’s focus is similar to ours at c/side.

Read More

Akamai Page Integrity Manager vs c/side

Akamai Page Integrity Manager vs c/side. Which is better?

Read More

Cloudflare Page Shield vs c/side

This article takes an honest look at the features of Cloudflare Page Shield vs c/side.

Read More

The 2021 cdnjs Vulnerability in Detail

Checking 3rd party scripts sources is great, but not enough. That’s what the world learned in 2021, when a massive vulnerability in Cloudlfare’s cdnjs got noticed. Here’s the rundown of what, and how, it happened. Cdnjs is one of the most commonly used JavaScript Content Delivery Networks (CDNs) of today. ...

Read More

The risk of only protecting your payment portals from 3rd party javascript attacks

At this time, only payment portals are required to have a system to keep 3rd party JavaScript in check. But, there’s still a data breach risk if you don’t secure all pages.

Read More

PCI DSS 4.0 complete guide and steps

PCI DSS 4.0 is built on six foundational principles aimed at fostering a secure environment for people making (and those facilitating) online transactions. Let's dive into all of them and see how you can be fully compliant.

Read More

Get Started Today

Start monitoring and securing 3rd party scripts on your websites today.