In brief: Two years after a supply-chain attack on polyfill.io, the compromised domain caused fake login prompts on websites of major brands through leftover code.
The reactivated domain polyfill.io sent manipulated HTTP-401 authentication requests to websites of Toshiba, Muji and other brands from late May 2026, resulting in browser pop-ups with fake login forms. The problem stems from a supply-chain attack in 2024, when the domain fell to Chinese actors after expiration.
Since late May 2026, suspicious authentication prompts have appeared on the websites of Toshiba and Muji. The affected companies report that the external domain polyfill.io sends unexpected HTTP-401 responses to visitor browsers. These responses are interpreted by the browser as legitimate authentication requests and result in the display of a standard login pop-up. Users could unknowingly enter their login credentials into these fake forms.
The origin lies in a known supply-chain attack from 2024: Polyfill.io is a JavaScript service that makes modern web content compatible with older browsers. After the original open-source developer Andrew Betts no longer maintained the domain, it was taken over by a Chinese entity following expiration and injected with malicious code. This affected over 100,000 websites worldwide. Betts subsequently warned about this and migrated the legitimate project to new domains such as polyfill.com and polyfill.top. However, many website operators failed to completely remove references to the old polyfill.io domain from their codebases.
In addition to Toshiba and Muji, older websites of Zojirushi, FiNC Technologies, Ishiyaku Publishers, Hobonichi as well as Samsung Smart TVs were affected from June 1, 2026. Toshiba and Muji have since completely discontinued their use of the service. According to current information, there are no confirmed cases of successful data exfiltration through the manipulated pop-ups. Both companies recommend users who may have entered login credentials to change their passwords immediately.
Source: www.it-daily.net · Published June 10, 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.