Suspicious Polyfill login prompts pop up on Toshiba, Muji websites

Summary

Tech companies Toshiba and Muji warned of suspicious login prompts appearing on their websites, generated by the polyfill.io CDN service. The issue stems from the 2024 compromise of polyfill.io by a Chinese entity, followed by domain expiration and reactivation in late May 2026, which began serving HTTP 401 authentication requests. Multiple Japanese companies and Samsung Smart TVs were affected; while no credential theft has been confirmed, users who entered login data are advised to change passwords.

Full text

Suspicious Polyfill login prompts pop up on Toshiba, Muji websites By Bill Toulas June 5, 2026 05:54 PM 0 Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials. Both Japanese companies advised users who entered their account login data in the authentication screens to change their passwords to access the service. The login pop-ups were generated by the external service hosted at polyfill[.]io, which in 2024 introduced malicious code in scripts delivered by its CDN. “We have confirmed that some parts of our website may display a sign-in screen like the one shown below. We are currently working to eliminate this screen, but if you do see it, please select "Cancel" without entering any information," Toshiba said in a short communication. The suspicious login screenSource: Toshiba Japanese retail giant Muji published a similar announcement earlier this week, warning website visitors of suspicious authentication screens generated by the external service polyfill[.]io. “At this time, we have not confirmed any unauthorized access or information leakage to this site, but in order to ensure the safety of our customers, we ask that you consider your response,” Muji states. Both Toshiba and Muji have solved the issue and suspended the service. Japanese media outlets reported that Zojirushi, FiNC Technologies, Ishiyaku Publishers, and online publishing brand Hobonichi were also impacted by the same issue. Security researcher Pasquale Pillitteri says that Samsung Smart TVs and websites also displayed a login prompt on June 1. Some reports claim that the problem was caused by the polyfill[.]io incident in 2024, when the domain was purchased by a Chinese entity and added malicious scripts that impacted more than 100,000 websites using the Polyfill service. Polyfill is a JavaScript CDN for legacy browsers, allowing modern sites to run on them by providing a compatibility layer for unsupported technologies. The Polyfill code was delivered via a CDN at polyfill[.io], although the domain was not owned by the creator of the open source project, Andrew Betts. As such, when the domain expired, it could be claimed by anyone. At the time, Betts responded publicly by recommending that website owners remove the service from their sites, and relaunched the JavaScript CDN service at a new domain, polyfill.com, and later settled at polyfill.top. While the deactivation of the service at polyfill[.]io stopped the redirections, some sites using the service failed to clean all their pages over the past two years, so remnants of Polyfill code remained. Pillitteri reports that, starting in late May 2026, the polyfill[.]io domain became active again and started responding with HTTP 401 authentication requests. User browsers visiting pages such as Toshiba’s and MUJI’s interpret that as a request for a username and password, so they serve a login prompt. At the moment, there is no indication that impacted websites were hacked or that credentials entered on these rogue login screens were stolen. However, users are strongly recommended to be cautious about unexpected authentication prompts. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: New IronWorm malware hits 36 packages in npm supply-chain attackChinese hackers use new Atlas RAT malware in European cyberattacksNew Shai-Hulud malware wave compromises 600 npm packagesShai Hulud attack ships signed malicious TanStack, Mistral npm packagesPopular node-ipc npm package compromised to steal credentials

Indicators of Compromise

• domain — polyfill.io
• domain — polyfill.com
• domain — polyfill.top

Entities