A malicious Chinese entity acquired control over the popular Polyfill JS open-source project and has been injecting malware into over 100,000 websites that embed the polyfill.io content delivery network. The malware redirects mobile users to a fraudulent sports betting site hosted on a domain impersonating Google Analytics. The attack employs various evasion techniques and targets specific devices and time windows. While trustworthy alternatives are available, it's recommended to remove any references to polyfill.io from your codebase as the library is no longer necessary for modern browsers.