Two years after a supply-chain attack on polyfill.io, the compromised domain caused fake login prompts on websites of major brands through leftover code.