(Handle Polyfill.io Security-Alert) How do you detect if a big npm Codebase uses Polyfill.io somewhere?

Polyfill.io is malicious: https://dev.to/snyk/polyfill-supply-chain-attack-embeds-malware-in-javascript-cdn-assets-55d6

I now need to find it my codebase:

I used: grep -r "polyfill.io" to quickly find the obvious and I checked the Network Traffic of the website.

Network Traffic is however not an exhaustive method to find every polyfill.

How do I efficiently check:

• npm subdependencies
• dynamically loaded polyfills?
• What about other polyfill suppliers like bootcss​.​com bootcdn​.​net & staticfile​.​org? It seems Polyfill.io is not the only one? https://socket.dev/blog/namecheap-takes-down-polyfill-io-service-following-supply-chain-attack

You can use Zaproxy to scan a website for the use of the polyfill[.]io domain. No need to install ZAP, just run a one liner to run the check with a docker container:

docker run -t zaproxy/zap-stable zap.sh -cmd -addoninstall pscanrulesBeta -zapit https://www.example.com/

You can specify as many URLs you like: -zapit https://www.example1.com -zapit http://example2.com/

See https://www.zaproxy.org/blog/2024-06-27-polyfill.io-script-detection/