"We have confirmed that some parts of our website may display a sign‑in screen like the one shown below," Toshiba said, and urged visitors to select "Cancel" without entering information.
How the prompts appeared on Toshiba and Muji websites
Visitors to Toshiba and Muji websites this week saw unexpected authentication pop‑ups that looked like legitimate login prompts. Both companies warned that the screens were generated by an external service hosted at polyfill[.]io and advised users who had entered credentials to change their passwords for the affected accounts.
Toshiba published a short communication telling users to select "Cancel" if they saw the screen while the company worked to remove it. Muji issued a similar notice, saying it had not confirmed any unauthorized access or information leakage but asking customers to "consider your response" and urging caution. According to the companies, the immediate mitigation was to suspend the service that caused the prompts; both firms have since taken that step and said the issue was resolved on their sites.
What polyfill[.]io is and why it resurfaced
Polyfill is a JavaScript content delivery service that supplies compatibility code to help modern websites run on legacy browsers. The source material traces a sequence that began in 2024, when the polyfill[.]io domain was allowed to expire and — according to some reports — was purchased by a Chinese entity that introduced malicious scripts. The open‑source project's creator, Andrew Betts, had recommended that site owners remove the service at the time and relaunched the CDN under new domains, first polyfill.com and later polyfill.top.
Although the malicious scripts were deactivated after the 2024 incident, many sites failed to remove all instances of the old polyfill[.]io code. The result: residual references to that domain remained on pages for more than two years. Beginning in late May 2026, researchers observed polyfill[.]io become active again and respond to requests with HTTP 401 authentication responses. Web browsers interpret such responses as a request for a username and password and present a native login prompt to users — the same prompt users saw on Toshiba and Muji pages.
Other affected brands and the researcher timeline
Japanese media reports named additional organizations that were impacted by the same issue: Zojirushi, FiNC Technologies, Ishiyaku Publishers, and the online publishing brand Hobonichi. Security researcher Pasquale Pillitteri reported that Samsung Smart TVs and various websites displayed login prompts on June 1, 2026. Pillitteri’s observations linked the reactivated polyfill[.]io responses to the sudden appearance of authentication dialogs across a range of endpoints.
The available reporting notes there is, so far, no indication that the affected websites themselves were hacked or that credentials entered into the rogue prompts were captured and exfiltrated.
What security teams and web owners should watch
- Web owners who relied on polyfill[.]io in the past should search their pages for lingering references to that domain and remove or update them, echoing the steps initially recommended by the polyfill project’s creator.
- Security teams should pay attention to anomalous HTTP 401 responses coming from third‑party domains and treat unexpected browser authentication dialogs as potential signals of supply‑chain residue or abuse.
- End users who see an unprompted browser login screen on a trusted site should avoid entering credentials and follow vendor guidance (Toshiba’s instruction to select "Cancel" and Muji’s request that customers consider changing passwords if they submitted data).
Why these kinds of supply‑chain remnants matter
This episode underlines a simple but persistent risk: third‑party components that are no longer maintained or that change ownership can reintroduce unexpected behavior long after the primary site operator believes the dependency is gone. In this case the behavior was an authentication prompt; in other instances the code could attempt to load malicious scripts or redirect users. Toshiba and Muji stopped the immediate problem by suspending calls to the service, but the broader issue persists where legacy references remain in site code.
The immediate facts are clear: multiple well‑known Japanese brands saw login prompts generated by the polyfill[.]io service, companies advised caution and password changes where appropriate, and researchers traced the behavior to renewed 401 responses from the defunct domain. The longer arc — how many pages still carry remnants of that service, who reactivated the domain, and whether any credentials were captured before sites removed the calls — remains to be documented by further technical analysis.
