Toshiba, Muji Websites Hit by Polyfill.io Credential Harvesting Scheme
Toshiba and Muji websites displayed deceptive login prompts, a consequence of a compromised third-party JavaScript service, polyfill[.]io, potentially designed to steal user credentials.
Major Japanese companies Toshiba and Muji have alerted their customers to suspicious login screens appearing on their official websites, warning that these prompts could be an attempt to harvest user credentials. Both firms have advised customers who entered their login information into these deceptive pop-ups to immediately change their passwords.
The problematic login screens were reportedly generated by the external service hosted at polyfill[.]io. This service, which provides JavaScript compatibility for older browsers, had malicious code injected into its scripts sometime in 2024 after its domain was acquired by an unknown entity. This compromise led to the distribution of malicious code to numerous websites relying on the service.
Toshiba issued a statement confirming the issue, urging users to select "Cancel" if they encountered the suspicious screen and to avoid entering any information. Muji, a large Japanese retailer, published a similar advisory, noting that while no unauthorized access or data leakage had been confirmed, customers should exercise caution. Both companies have since resolved the issue by suspending the use of the polyfill[.]io service.
Reports indicate that several other Japanese organizations, including Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi, were also affected by the same incident. Security researcher Pasquale Pillitteri also noted that Samsung Smart TVs and associated websites displayed a similar login prompt on June 1st, suggesting a broader impact.
The root cause traces back to the polyfill[.]io domain, which was not originally owned by the open-source project's creator. When the domain expired, it was acquired by a new party who then introduced malicious scripts. Although the original creator had warned users and relaunched the service under new domains (polyfill.com and later polyfill.top), some websites failed to remove the outdated polyfill[.]io references over the past two years.
Starting in late May 2026, the polyfill[.]io domain reactivated and began serving HTTP 401 authentication requests. Web browsers encountering these requests interpret them as legitimate login prompts, displaying them to users. While there is currently no direct evidence of compromised websites or stolen credentials, the incident highlights the risks associated with relying on third-party services and the potential for long-dormant vulnerabilities to be exploited.
This incident serves as a stark reminder of the supply chain risks inherent in web development. The compromise of a seemingly innocuous JavaScript library has had a widespread impact, affecting major brands and potentially exposing millions of users to credential theft. The prolonged period between the initial compromise and the recent exploitation underscores the importance of continuous monitoring and diligent code hygiene, even for services that appear to be inactive.
Users are strongly advised to remain vigilant against unexpected authentication prompts and to verify the legitimacy of any login requests, especially those appearing on websites that do not typically require such authentication. The incident involving polyfill[.]io is a critical case study in the evolving threat landscape, where outdated infrastructure can be weaponized long after its intended use.