Suspicious Polyfill login prompts appear on Toshiba and Muji websites

Tech large Toshiba and retail large Muji have warned guests that suspicious sign-in screens could pop up on their web sites and their credentials could also be collected.

Each Japanese corporations suggested customers who entered their account login knowledge on the authentication display to alter their passwords to entry the providers.

The login popup was generated by an exterior service hosted on polyfill(.)io, which launched malicious code right into a script distributed by a CDN in 2024.

“We now have confirmed {that a} sign-in display just like the one beneath could seem on a few of our web sites. We’re at the moment working to take away this display, but when it does seem, please choose ‘Cancel’ with out coming into something,” Toshiba stated in a brief communication.

Japanese retail large Muji made an identical announcement earlier this week, warning web site guests a couple of suspicious authentication display generated by the exterior service polyfill(.)io.

“Though we’ve got not confirmed any unauthorized entry to this website or data leaks right now, we ask that you simply take into account taking applicable measures to make sure the security of our prospects,” MUJI stated in an announcement.

Toshiba and Muji resolved the problem and suspended their providers.

Japanese media reported that Zojirushi, FiNC Applied sciences, Ishiyaku Publishing, and on-line publishing model Hobonichi had been additionally affected by the identical drawback.

Safety researcher Pasquale Pillitteri stated login prompts additionally appeared on Samsung good TVs and web sites on June 1.

Some studies declare that this concern was brought on by the Polyfill(.)io incident in 2024. On this incident, a site was bought by a Chinese language firm and a malicious script was added that affected over 100,000 web sites utilizing the Polyfill service.

Polyfill is a JavaScript CDN for legacy browsers that enables fashionable websites to run on legacy browsers by offering a compatibility layer for unsupported applied sciences.

The Polyfill code was distributed through CDN at Polyfill(.io), however the area was not owned by the open supply mission’s creator, Andrew Betts. So as soon as your area expires, anybody can declare it.

On the time, Betts publicly responded by recommending that web site house owners take away the service from their websites, and restarted the JavaScript CDN service with a brand new area, polyfill.com, earlier than selecting polyfill.prime.

Deactivating the service on Polyfill(.)io stopped the redirects, however some websites utilizing the service failed to scrub up all their pages over the previous two years, leaving remnants of Polyfill code behind.

Pillitteri reported that beginning in late Could 2026, the polyfill(.)io area grew to become lively once more and started responding to HTTP 401 authentication requests.

When a person visits a web page from corporations like Toshiba and Muji, their browser interprets this as a request for a username and password and shows a login immediate.

At the moment, there isn’t any indication that the affected web sites had been hacked or that the credentials entered into these fraudulent login screens had been stolen. Nonetheless, we strongly advise customers to be cautious of surprising authentication prompts.