Toshiba and Muji Sites Hit by Fake Login Prompts from Revived Polyfill Domain

Japanese tech giant Toshiba and retail chain Muji are warning visitors that suspicious sign-in screens appearing on their websites may be harvesting credentials, in a supply chain incident traced back to the notorious polyfill[.]io domain. Both companies urged any users who entered login details into the rogue authentication prompts to change their passwords immediately. The fake login overlays were generated by the external CDN service at polyfill[.]io, which first made headlines in 2024 when a Chinese entity acquired the expired domain and began serving malicious JavaScript to over 100,000 dependent websites. Anyone who suspects they may have submitted credentials into one of these prompts should verify their exposure using a email breach checker and rotate any reused passwords with a strong password checker to gauge strength before updating accounts.

The root cause is a lingering supply chain dependency that refused to die. Polyfill was originally an open-source JavaScript compatibility layer created by Andrew Betts to support legacy browsers, but the polyfill[.]io domain was never owned by him. After the domain expired and changed hands, Betts relaunched the service at polyfill.com and later polyfill.top, advising site owners to remove the old dependency. Toshiba and Muji, along with Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi, failed to fully purge the dead scripts from their pages, leaving remnants that recently resurfaced when the polyfill[.]io domain reactivated in late May 2026 and began returning HTTP 401 authentication responses, which browsers interpret as a native username/password prompt.

Security researcher Pasquale Pillitteri documented that Samsung Smart TVs and several other sites also rendered the unsolicited login dialogs beginning June 1. Because the pop-ups resemble legitimate browser authentication windows rather than web-based phishing forms, many users may have unwittingly entered valid corporate or personal credentials directly into the attacker's challenge request. While the deactivation of the malicious CDN has stopped new injections, organizations operating websites should audit all third-party script references, validate that no orphaned polyfill[.]io URLs remain in source code or cached pages, and run a thorough SSL/TLS checker and dependency review as part of their incident response.

Toshiba and Muji have both publicly stated that no unauthorized access or confirmed data leakage has been identified so far, but the incident underscores how a single abandoned third-party dependency can resurrect a threat years after takedown. Website owners and security teams should treat any HTTP 401 prompt appearing on an internal or customer-facing site as suspicious by default, purge legacy CDN references, and educate end users to cancel unexpected login dialogs rather than entering credentials. With multiple Japanese organizations already impacted, the episode serves as a clear reminder that supply chain hygiene is not a one-time task but an ongoing operational responsibility.