Completely missing the point that they are the supply chain risk, and the fact that malicious code was already detected in their system (to the point where Google started blocking ads for sites that loaded polyfill .io scripts.
We don't even know who they are - the repo is owned by an anonymous account called "polyfillpolyfill", and that comment comes from another anonymous account "polyfillcust".