suspicious polyfill.io – Toshiba and Muji issued urgent warnings after suspicious sign-in pop-ups began appearing on their websites, tied to the external service polyfill.io. Both companies later suspended the service and urged visitors who entered login details to change their passwo
For a brief but alarming stretch of time, the wrong kind of “sign in” started appearing on two well-known Japanese websites.
Toshiba told visitors that some parts of its website may display a sign-in screen, “like the one shown below,” and said it was working to remove it. The instruction was blunt: if users saw the prompt, they should select “Cancel” without entering any information.
Muji published a similar warning earlier this week, also pointing to authentication screens generated by the external service polyfill.io. Muji said it had not confirmed unauthorized access or information leakage to the site, but urged customers to think carefully about how they responded.
Both companies have since resolved the issue and suspended the service.
The source of the pop-ups was polyfill.io, which in 2024 introduced malicious code into scripts delivered through its CDN. Polyfill itself is a JavaScript CDN designed for legacy browsers. acting as a compatibility layer so modern sites can still run on older systems. But in this case, the compatibility tool became the trigger for a fake-looking login prompt.
The bigger fear for users isn’t what the prompt looks like—it’s what it asks for. Toshiba and Muji both advised users who entered their account login data in the authentication screens to change their passwords to access the service.
Security researcher Pasquale Pillitteri said Samsung Smart TVs and websites were also seeing a login prompt on June 1. Japanese media outlets reported that Zojirushi, FiNC Technologies, Ishiyaku Publishers, and online publishing brand Hobonichi were impacted by the same issue.
Putting the timeline together is where the tension sharpens. Some reports claim the incident traces back to 2024, when the polyfill.io domain was purchased by a Chinese entity and malicious scripts were added, affecting more than 100,000 websites using the Polyfill service.
The domain history is also messy. The Polyfill JavaScript CDN at polyfill.io was not owned by the creator of the open-source project, Andrew Betts. When the polyfill.io domain expired, it could be claimed by others. After that happened. Betts publicly recommended that website owners remove the service. relaunched the JavaScript CDN at a new domain. polyfill.com. and later moved to polyfill.top.
Even after Toshiba and Muji suspended polyfill.io, the damage wasn’t necessarily instant or clean. While deactivating the service stopped redirections, some sites using the service failed to remove all Polyfill code over the past two years, leaving remnants behind.
Pillitteri reports that starting in late May 2026, polyfill.io became active again and began responding with HTTP 401 authentication requests. When browsers visit pages that include that leftover Polyfill logic. they interpret the 401 response as a request for a username and password. which then shows users a login prompt.
At the moment. there is no indication that impacted websites were hacked or that credentials entered on these rogue login screens were stolen. Even so. the guidance from Toshiba and Muji reads like a warning from people who know how quickly a routine action can turn into a security mistake: if something asks for credentials unexpectedly. treat it as hostile until proven otherwise.
Toshiba Muji polyfill.io login prompt credential phishing CDN JavaScript compatibility layer cybersecurity HTTP 401 legacy browsers Samsung Smart TVs