Suspicious Polyfill Login Prompts Pop up on Toshiba, Muji Websites

Polyfill.io began as an open‑source JavaScript CDN that helped legacy browsers run modern web features. When the original domain expired, a Chinese entity acquired it and inserted malicious payloads into the scripts served to any site that still referenced the old URL. Because the CDN’s code is loaded on every page load, the compromise silently propagated across a vast ecosystem, illustrating how a single point of failure in supply‑chain infrastructure can jeopardize thousands of unrelated websites.

The breach surfaced publicly when Toshiba and Muji noticed unexpected authentication dialogs appearing to visitors. The dialogs, triggered by HTTP 401 responses from the compromised polyfill.io server, were indistinguishable from legitimate sign‑in screens, prompting users to enter credentials that could be harvested. While no confirmed data theft has been reported, the companies acted quickly, advising users to cancel the prompts and reset passwords. Subsequent investigations linked the same behavior to other Japanese firms such as Zojirushi and even Samsung Smart TVs, confirming the breadth of the exposure.

For enterprises, the episode is a cautionary tale about the hidden risks of third‑party script hosting. Security teams should inventory all external resources, enforce Subresource Integrity checks, and migrate to trusted domains like polyfill.com or self‑hosted alternatives. Regular vulnerability scans and real‑time monitoring of CDN responses can detect anomalous authentication challenges before they reach end users. As cyber‑criminals increasingly target supply‑chain vectors, proactive governance of external code becomes a critical component of an organization’s overall risk management strategy.