Malicious Polyfill CDN Serves Phishing Login Prompts on Toshiba and Muji Websites
What Happened — In late May 2026 the compromised JavaScript CDN polyfill.io began injecting HTTP 401‑style login dialogs into pages of Japanese firms Toshiba and Muji. The pop‑ups mimicked native sign‑in screens and could harvest credentials if entered.
Why It Matters for TPRM —
- Third‑party script services can become a covert attack vector, bypassing traditional perimeter controls.
- Credential‑phishing on vendor‑facing sites can lead to credential reuse attacks against downstream partners.
- The incident highlights the need for continuous monitoring of external dependencies and rapid remediation of legacy code.
Who Is Affected — Technology hardware/manufacturing (Toshiba), retail & e‑commerce (Muji), plus other Japanese brands that still referenced the old polyfill.io domain (e.g., Zojirushi, FiNC Technologies, Ishiyaku Publishers, Hobonichi, Samsung Smart TV ecosystem).
Recommended Actions —
- Inventory all web assets that reference polyfill.io or any untrusted CDN and replace with vetted alternatives.
- Conduct a credential‑reset for any accounts that may have been entered into the fraudulent dialogs.
- Deploy CSP (Content‑Security‑Policy) and Subresource Integrity (SRI) to lock down third‑party scripts.
- Add the polyfill.io domain to blocklists in web‑gateway and endpoint protection solutions.
Technical Notes — The malicious code was delivered via a compromised CDN (polyfill.io) that responded with HTTP 401 authentication challenges, causing browsers to display native‑looking login prompts. No CVE is associated; the vector is a supply‑chain compromise of a third‑party JavaScript provider. Data at risk includes usernames, passwords, and potentially SSO tokens. Source: BleepingComputer