Tech giant Toshiba and major retailer Muji have warned visitors that suspicious login screens from their websites could collect information.
Both Japanese companies advised users who entered their account login data on the confirmation screens to change their passwords to access the service.
The login blocks are created by an external service managed in the polyfill[.]io, which in 2024 introduced malicious code into the documents served by its CDN.
“We have confirmed that some parts of our website may display a login screen like the one shown below. We are currently working to eliminate this screen, but if you see it, please select “Cancel” without entering any information,” Toshiba said in a short communication.
Source: Toshiba
Japanese giant Muji published a similar announcement earlier this week, warning website visitors of suspicious verification screens generated by a third-party service polyfill.[.]io.
“Currently, we have not confirmed any unauthorized access or information leakage to this site, but in order to ensure the safety of our customers, we ask that you consider your feedback,” Muji said.
Both Toshiba and Muji have resolved the issue and stopped the service.
Japanese media reported that Zojirushi, FiNC Technologies, Ishiyaku Publishers, and online publishing brand Hobonichi were also affected by the same problem.
Security researcher Pasquale Pillitteri says Samsung Smart TVs and websites also displayed the login message on June 1.
Some reports say the problem is caused by the polyfill[.]io in 2024, when the domain was bought by a Chinese business and added malicious scripts that affected more than 100,000 websites using the Polyfill service.
Polyfill is a JavaScript CDN for legacy browsers, allowing modern sites to run on them by providing a compatible layer for unsupported technologies.
Polyfill code is delivered via CDN to polyfill[.io]although the domain was not that of the open source project’s creator, Andrew Betts. Thus, when a domain expires, it can be claimed by anyone.
At the time, Betts responded publicly by recommending that website owners remove the service from their sites, and restart the JavaScript CDN service at a new domain, polyfill.com, and later settled on polyfill.top.
While shutting down the service in the polyfill[.]io stopped redirection, some sites using the service failed to clean all their pages in the last two years, so remnants of the Polyfill code remained.
Pillitteri reports that, from the end of May 2026, the polyfill[.]the io domain was up and running again and started responding with HTTP 401 authentication requests.
Users’ browsers visiting pages such as Toshiba’s and MUJI’s interpret that as a request for a username and password, and therefore provide a login prompt.
At this time, there is no indication that the affected websites have been hacked or that the information entered into these malicious login screens has been stolen. However, users are strongly advised to be careful about unexpected confirmation instructions.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
