Toshiba and Muji warned that visitors to some of their web pages saw unexpected browser sign-in prompts that could trick people into entering credentials. The prompts were tied to lingering references to the compromised polyfill.io JavaScript content delivery network (CDN), which began responding with HTTP 401 authentication challenges in late May 2026; affected companies removed or suspended the service, and no confirmed credential theft has been reported so far.
Why it matters: People who entered usernames or passwords into these pop-ups should change them, and website owners should remove any remaining polyfill.io code immediately. This matters because it shows how a long-abandoned third-party script can still create phishing risk years after an earlier supply-chain compromise.
Bill Toulas
2026.06.05
100% relevant
This article establishes a distinct 2026 follow-on event from the earlier Polyfill compromise: dormant polyfill.io inclusions on live sites caused browser credential prompts on major websites, creating a fresh user-facing phishing risk.
← Back to all stories