Blog
Industry News, Insights and Resources
The latest industry news, interviews, technologies, and resources.
Featured blog posts
New TTPs in Stealing PII and Financial Information from Magento Websites
At c/side, we actively monitor client-side supply chain attacks, with a focus on the evolving tactics, techniques, and procedures (TTPs) used by threat actors. One of the most common attacks we've observed over the past few months is the targeting of eCommerce websites built on the Magento framework. In particular, ...
Why do websites need 3rd party scripts?
When developing a website, you’ll often include libraries to help speed up the development process, and avoid reinventing the wheel. However, there are times where you need to load a script from an external source. Due to recent attacks such as the Polyfill domain takeover , questions have been raised: ...
New 3rd party JS script attack found: Artifyau[.]com and Quantifymy[.]com
A mere few days after deploying our research scanner, crawling the web for attack, we found the domain artifyau[.]com injecting malicious scripts into websites. We first detected it on store.racerdirect[.]net and found 106 other infected websites . One of which being buildsitepro[.]com/checkout/cart on which we reviewed the payload of the ...
New Magecart attack code revealed
On October 18th, we posted an article into how we noticed a bunch of proxy requests from infirc[.]com and later infird[.]com . Our domains directory scanned and indexed both domains. A few days later we saw a surge of search traffic on both pages, from people looking for an answer. ...
How web extensions can hurt your site (INFIRC[.]com and INFIRD[.]com)
The domain infirc[.]com and infird[.]com have caused quite the stir recently, and highlighted the dangers of infected or malicious web extensions. Infirc[.]com was first observed coming into our backend appearing as the referer header, even though it is not hosted or referenced by our site. Our public domains directory indexed ...
The Internet Archive Hack: How JavaScript fits in the picture
The Internet Archive, also known as The Wayback Machine, experienced a security breach yesterday. This was not the first time it had been targeted. A mocking JavaScript popup appeared, stating: Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a ...
The biggest Magecart attacks in history (so far)
Where the term “Magecart” comes from from Magecart attacks are a type of cyberattack where hackers inject malicious JavaScript code, often referred to as "skimming" scripts, into websites. This can be any type of website, but when talking Magecart, it’s almost exclusively e-commerce sites to try and capture credit card ...
New TTPs in Stealing PII and Financial Information from Magento Websites
At c/side, we actively monitor client-side supply chain attacks, with a focus on the evolving tactics, techniques, and procedures (TTPs) used by threat actors. One of the most common attacks we've observed over the past few months is the targeting of eCommerce websites built on the Magento framework. In particular, ...
Why do websites need 3rd party scripts?
When developing a website, you’ll often include libraries to help speed up the development process, and avoid reinventing the wheel. However, there are times where you need to load a script from an external source. Due to recent attacks such as the Polyfill domain takeover , questions have been raised: ...
c/side joins the PCI Security Standards Council as an Associate Participating Organization
We’re proud to announce that we’ve joined the Payment Card Industry Security Standards Council Security Standards Council (PCI SSC) as an Associate Participating Organization. The PCI SSC leads a global, cross-industry effort to enhance payment security by establishing flexible, industry-driven data security standards. Through collaboration with other industry leaders, the ...
Carlsberg a target in Magento “CosmicString” malware attack
The term “Magecart” refers to attacks on the Magento platform. Recently, another large campaign was found to target Magento sites again. Among these, Carlsberg was one of the compromised websites. The pattern of these attacks is almost always the same. A single line of JavaScript loads content from a remote ...
c/side joins the W3C
We’re incredibly proud to announce we have joined the W3C Web Application Security Working Group. The mission of the Web Application Security Working Group is to develop mechanisms and best practices to improve the security of web applications. Our whole team has been involved in cybersecurity for years. Through c/side, ...
Kuwait ecommerce site is being used to facilitate client-side skimming attacks
A popular e-commerce site in Kuwait, running an outdated version of Magento (2.4), has been compromised by a malicious JavaScript injection, exposing customer payment data. The vulnerability, likely linked to the CosmicString bug in Magento , has been patched, but sites not updated remain at risk. Unlike other impacted sites, ...
Threat feeds fail to detect attack for +2 years
c/side just detected a new client-side attack that’s been active for over 2 years. The domain guyacave[.]fr is serving a Personal Identifiable Information (PII) skimmer script on multiple websites since August of 2022. Check your website now, and remove the script with the domain immediately if found. During analysis of ...
Why do developers obfuscate JavaScript?
As a client-side security company protecting JavaScript, we see a lot of obfuscated scripts. When you use our tool, you can actually see the deobfuscated version of the scripts to see what it is doing. Deobfuscation has been around for a while, but why is code obfuscated in the first ...
Human Security vs c/side
This article takes an honest look at some of the features of Human Security vs c/side. Please note that you’re on the c/side website. While we have a natural bias, we present both tools in the same light. To complete your research, please visit the Human Security product pages. For ...
What is Client-Side Security?
Client-side security covers all operations occurring on a user's device, such as a browser on a computer or other device when interacting with a web application. Attacks targeting the client-side aim to manipulate the user’s interaction with that web application to steal data or inject malicious code. Why secure the ...
ButterCMS unreported downtime and security concerns
ButterCMS is a popular tool used to manage content for blogs. Earlier this week, we noticed a potentially severe security incident which triggered the team to remove ButterCMS from our site , and start an in depth investigation into what happened. Our aim is to share the findings of our ...
c/side raises a $6m seed round
We’re incredibly proud to announce our seed round of $6m, just six months after raising our pre-seed of $1.7m. Led by Uncork Capital as the lead, with participation from Mantis and PrimeSet . We also welcome back Scribble VC and Roar Ventures who supported us in the pre-seed. Together with ...
Cisco client-side Magecart JavaScript attack
Another day, another high-profile client-side JavaScript attack. This morning, we read that Cisco is the next victim of malicious code being loaded through a third-party script. The Cisco Merchant website operates on the Magento Enterprise framework, which is widely used by eCommerce websites. Magento offers a robust and scalable platform, ...
c/side picked for TechCrunch Disrupt Startup Battlefield 2024
We’re incredibly proud to announce that we were selected for TechCrunch Disrupt Startup Battlefield in 2024. This year’s Startup Battlefield participants span artificial intelligence (AI), software as a service (SaaS), fintech, security, sustainability, space exploration and more. Out of thousands of startups, just 200 make the cut, and we are ...
Feroot vs c/side
This article takes an honest look at the features of Feroot vs c/side. Please note that you’re on the c/side website. While we have a natural bias, we present both tools in the same light. To complete your research, please visit the Feroot product pages. The differences between Jscrambler Webpage ...
How to speed up JavaScript
Eliminate render-blocking resources , reduce unused JavaScript and minimize main thread work are usually found right on top of the PageSpeed Insights report. They talk about potential savings, but besides using the defer tag, there isn’t much info on how to do this. Though there are a few extra ways ...
What are digital skimmers?
Recently, we read of a new significant cyberattack campaign which targeted hundreds of online stores, exploiting vulnerabilities in third-party scripts and plugins. This is a perfect example of a ‘digital skimmer’. Digital skimmers are snippets of code maliciously injected into legitimate websites. They target personal and credit card information. This ...
Why browsers are becoming increasingly more dangerous
Technologies like WebAssembly (WASM), WebGPU, and IndexedDB have transformed what browsers can achieve. This evolution has expanded the functionality of browsers, massively evolving the use cases and experiences. However, this increased complexity also brings a significant cybersecurity concern: an enlarged attack surface. To understand where we are today, let’s take ...
The true cost of a cyber attack
Calculating the true cost of a cyber attack is difficult. None are the same, and companies respond differently. Yet it’s important to report on this in as much detail as possible to accurately represent the full picture of when this happens to your business. Suffering an attack usually comes with ...
Is Tuaw a scam in the making?
When we saw the new Fireship video yesterday, we were immediately reminded of the recent Polyfill attack. Our first article was picked up and referenced by most cybersecurity news outlets, and a week later we published our full post-mortem . When Fireship then reported on Tuaw, “The Unofficial Apple Weblog” ...
The Copay event-stream attack illustrates dependency risks
The JavaScript ecosystem experienced a significant shock with a sophisticated attack on Copay, a popular cryptocurrency wallet provider, in November 2018. Known as the event-stream attack , this incident highlighted the critical vulnerabilities associated with relying on third-party dependencies in software development. Understanding the attack Event-stream, a popular npm package, ...
The Segway cyber attack explained
In January 2022, the Segway web store suffered a web supply chain attack - also often referred to as a Magecart attack. In these types of attacks, malicious JavaScript code is added that loads from the client-side, known as third-party scripts. Many common tools are third-party scripts. Things like analytics, ...
Don't deploy scripts site-wide
Third-party scripts are often deployed site-wide, typically injected in the head tags in web frameworks like Next.js via the ’_document.js’ file. This widespread implementation, while convenient for developers and often recommended by onboarding guides, means these scripts run across the entire site. This is simpler to implement, but it also ...
What is an attack vector and what are hidden ones
An attack vector in cyber security is the way an attacker takes advantage of security weaknesses. Some are more obscure than others. One that’s been our focus, is third party JavaScript. Since these scripts are installed by the website owner yet executed in the visitors' browsers, they're in a unique ...
Web supply chain attack through trojanized jQuery on npm, GitHub and CDNs
Attacks have been found in trojanized jQuery on GitHub, npm and jsDelivr in a new web supply chain attack. Each package had a copy of jQuery with one small change: the ‘end’ function . This is part of the jQuery prototype, and was modified to include additional malicious code. In ...
How expired domains lead to cyber attacks
This is a multifaceted issue. Simply buying an expired domain isn't illegal. However, if a domain name is trademarked, then purchasing it (known as cybersquatting) could potentially breach copyright laws. But this of course will not defer attackers who usually remain anonymous and unnoticed.
The Polyfill attack explained
Recently over 490,000 websites were targeted in a web supply chain attack. We were amongst the first to report on this . NOTE: If a website is referencing the domains polyfill[.]io bootcss[.]com bootcdn[.]net or staticfile[.]org today, they are still open to this attack. What was the Polyfill service project? Polyfill ...
What is the browser supply chain?
c/side is a cyber security product that lives in the browser supply chain space. We and other vendors operating here, like to talk about that supply chain . But what do we mean by it exactly? The browser supply chain is the different components and processes that come together to ...
More than 490k websites targeted in web supply chain attack
The cdn.polyfill.io domain is currently being used in a web supply chain attack. It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users.
Why you can trust c/side
Script security is our bread and butter. For lots of vendors, serving the script is just a part of their product. We put every care and attention to detail in how we proxy, store and process scripts. We work to cover the blind spots that others might have missed.
The BrowseAloud Supply-Chain Attack: A Case Study in Cryptojacking
In February 2018, over 4,000 websites, including high-profile government bodies like the UK's Information Commissioner’s Office (ICO), fell victim to the BrowseAloud attack . This was not just another cybersecurity breach; it was a potent reminder of the hidden dangers of third-party scripts in our increasingly interconnected digital ecosystems. notionvc: ...
Why CSPs Are Not Enough
Content Security Policies (CSPs), scoped and promoted by the W3C , offer a browser-side feature designed to enhance web security. If implemented correctly, with specific rules per page, they can provide substantial security benefits. However, in practice, they tend to be cumbersome to set up, frequently break during local development, ...
Ticketmaster Data Breach Déjà Vu: What You Need to Know
Yesterday on May 29, 2024, news broke of an alleged data breach involving Ticketmaster , a prominent ticket sales and distribution company. The breach, reportedly executed by ShinyHunters , is claimed to have exposed the personal information of over 500 million customers. This breach includes sensitive data such as emails, ...
Supply Chain Risk Doesn’t End At NPM
Supply Chain attacks are a top of mind problem today. The number of these attacks in the US increased by 115% between 2022 and 2023, according to Statista . Tools like Socket and Coana detect harmful code in registries like NPM. But the supply chain risk doesn’t end there. However, ...
Kaiser Permanente Data Leak: A Case of Miscommunication and Inadequate Disclosure
On April 29th, healthcare giant Kaiser Permanente disclosed a data leak impacting 13.4 million current and former insurance members . The incident was rooted in improperly managed 3rd party scripts. The Incident Kaiser Permanente used tracking codes to monitor how its members navigated through its website and mobile applications. Some ...
Introducing c/side free tier BETA
We’re excited to announce the launch of c/side. Monitoring, Securing and Optimizing 3rd Party Scripts . In today's digital landscape, third-party scripts are a key part of the supply chain. Yet it is often forgotten about and therefore presents a threat. Browser Supply Chain Risks are an age old and ...
Cloudflare Page Shield vs c/side
This article takes an honest look at the features of Cloudflare Page Shield vs c/side.
Threat Feeds In The AI Era
Here’s what threat feeds are, and why it’s only a small cog in the cyber security machine in 2024. We also share the more complete solution to protect yourself from cyber attacks.
Imperva Client-side Protection vs c/side
Let’s take an honest look at the features of Imperva’s Client-side Protection product vs c/side.
Jscrambler Webpage Integrity vs c/side
Other than other competitors providing a form of browser-side security almost as an afterthought, Jscrambler’s focus is similar to ours at c/side.
Akamai Page Integrity Manager vs c/side
Akamai Page Integrity Manager vs c/side. Which is better?
The 2021 cdnjs Vulnerability in Detail
Checking 3rd party scripts sources is great, but not enough. That’s what the world learned in 2021, when a massive vulnerability in Cloudlfare’s cdnjs got noticed. Here’s the rundown of what, and how, it happened. Cdnjs is one of the most commonly used JavaScript Content Delivery Networks (CDNs) of today. ...
The risk of only protecting your payment portals from 3rd party javascript attacks
At this time, only payment portals are required to have a system to keep 3rd party JavaScript in check. But, there’s still a data breach risk if you don’t secure all pages.
PCI DSS 4.0 complete guide and steps
PCI DSS 4.0 is built on six foundational principles aimed at fostering a secure environment for people making (and those facilitating) online transactions. Let's dive into all of them and see how you can be fully compliant.