Japan’s Toshiba and retailer Muji warned website visitors this week that suspicious sign-in screens appearing on their sites were generated by polyfill[.]io, a JavaScript CDN compromised in 2024 when a Chinese entity acquired the domain and seeded it with malicious code affecting over 100,000 websites.
Both companies have suspended the service and advised any user who entered credentials into the pop-ups to change their passwords immediately.
The immediate trigger: security researcher Pasquale Pillitteri reported that starting in late May 2026, polyfill[.]io reactivated and began returning HTTP 401 authentication responses. Browsers treat that status code as a credential challenge, so users visiting pages that still embedded old Polyfill scripts were served a login prompt — one not controlled by Toshiba or Muji.
The damage isn’t limited to Toshiba and Muji. Japanese media also identified Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi as additional victims. Samsung Smart TVs and related websites displayed the rogue prompt on June 1.
Cleanup failure is the deeper story. When the 2024 compromise was first disclosed, original creator Andrew Betts publicly urged site owners to remove Polyfill entirely and relaunched the service at a new domain. Many sites never did. Two years of dormancy lulled administrators into complacency; one reactivation undid it. The audit question for any IT team today: which third-party scripts on your pages point to domains you don’t own?
No confirmed credential theft has been reported. Users who interacted with the prompts should treat their passwords as compromised.
James Okafor