Suspicious Polyfill login prompts pop up on Toshiba, Muji websites

Suspicious Polyfill Login Prompts Pop Up on Toshiba, Muji Websites

Overview

• Reports indicate that visitors to the Toshiba and Muji websites encountered sign-in screens that appeared to collect credentials. The prompts were not initiated by the sites themselves but were rendered by an external service known as polyfill.io.
• Both companies issued notices advising users who saw the authentication prompts to proceed with caution and to avoid entering any information if the screen appeared unexpectedly.

What Happened

• The rogue login prompts originated from an external script delivered via a Content Delivery Network (CDN) associated with polyfill.io.
• Polyfill.io is a JavaScript CDN historically used to provide compatibility layers for legacy browsers, enabling modern sites to function on older environments.
• In 2024, the polyfill.io service faced a controversy when the domain was acquired by a different entity and malicious code was allegedly introduced into some of its scripts. The situation led to a broader warning about the reliability of third-party script dependencies.
• In late May 2026, security researchers noted that the polyfill.io domain became active again and began issuing HTTP 401 authentication requests. When users’ browsers encountered these 401 prompts, the prompts could resemble sign-in dialogues and tempt users to enter credentials.

Affected Parties and Responses

• Toshiba: The company acknowledged that parts of its site could display a sign-in screen that resembled a login prompt. Toshiba stated that they were working to eliminate the screen and advised users to select Cancel if the prompt appeared, avoiding any data entry.
• Muji: Muji published a similar notice, warning visitors about suspicious authentication screens generated by polyfill.io. While Muji did not confirm any unauthorized access, they urged caution to protect customers.
• Other companies reported by Japanese media as impacted by the same issue include Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi. The scope suggested that multiple sites relying on the same external script feed were affected.
• Security researcher observations: It was noted that Samsung Smart TVs and associated websites also displayed login prompts on June 1, adding to the breadth of devices seen affected by the same service behavior.
• Community reports: Some discussions on technical forums and social platforms linked the 2024 polyfill incident—where the domain had changed hands and scripts were altered—with the 2026 revival of the problem, suggesting a continuity of risk tied to lingering remnants of older polyfill code on sites that had not fully cleaned up.

Technical Context

• Polyfill is designed to support legacy technologies by injecting compatibility layers through JavaScript. The intended use is legitimate, but dependency on third-party CDNs can introduce risk if the CDN is compromised or if the domain changes hands.
• The login prompts appeared as standard authentication dialogues triggered by the browser when a server responds with an HTTP 401 status. In typical scenarios, a 401 prompts for credentials, but in this case, the prompts were presented in the context of a misleading sign-in interface rather than a legitimate authentication flow.
• The chain of events includes: the external polyfill script delivery, the domain’s ownership changes in 2024, the subsequent defacement/compromise of scripts, domain expiration, and the late-May 2026 reactivation that led to new prompts on various sites.

Current Status and Implications

• Both Toshiba and Muji reported resolution of the immediate issue on their sites, suspending the external service associated with polyfill.io and working to ensure that visitors are not exposed to rogue login prompts.
• There is no publicly confirmed evidence at this time that any credentials entered through these rogue prompts were stolen. Nevertheless, the presence of deceptive authentication dialogs underscores the potential risk of third-party scripts and the importance of rigorous supply-chain hygiene for web assets.
• The incident reinforces the need for ongoing monitoring of external dependencies, prompt removal of any deprecated or suspicious scripts, and rapid response when unusual authentication behavior is observed on high-traffic sites.

Context and Takeaways

• The episode illustrates how a trusted provider’s infrastructure can become a vector for credential-focused prompts on consumer-facing websites, affecting not only the primary brands involved but also other sites leveraging the same service.
• It also highlights the value of rapid, transparent communication from organizations when customers encounter unexpected security prompts, as well as the importance of adopting defensive measures to reduce exposure to third-party script risks.
• The broader security landscape continues to emphasize how attackers leverage legitimate tools and services to blend into normal user experiences, making vigilance across codebases and CDNs essential in modern web security.

Additional Observations

• The incident has prompted renewed discussions around legacy browser support, dependency management, and the resilience of web ecosystems to external script disruptions.
• Online communities and security researchers have emphasized the need for thorough cleanup of remnants from older polyfill implementations on sites that may have migrated away from a service but left behind related code.

Summary

• A rogue login prompt surfaced on Toshiba and Muji websites, traced to a third-party service associated with polyfill.io. Websites advised users to cancel any unexpected prompts and to avoid entering credentials. While the immediate risk appeared to be mitigated by suspending the problematic service, the event serves as a cautionary example of how external dependencies can influence security at scale and why careful management of third-party scripts remains critical for protecting users.