The security threat involves suspicious login prompts generated by the compromised polyfill[.]io JavaScript CDN service, which was used by Toshiba, Muji, and other websites. The polyfill[.]io domain expired and was acquired by a third party in 2024, who injected malicious code into the scripts served by the CDN. Although the service was deactivated, some websites failed to remove all instances of the polyfill[.]io code. In late May 2026, the domain became active again and started responding with HTTP 401 authentication requests, causing browsers to display login prompts that could collect user credentials. There is no confirmed evidence of credential theft or website compromise. Affected companies have suspended the service and warned users to cancel any unexpected login prompts.

The impact is primarily the risk of credential theft due to deceptive login prompts appearing on affected websites. However, there is no confirmed evidence that credentials entered were stolen or that the websites themselves were compromised. The presence of the malicious prompts could lead to user confusion and potential phishing if users enter their credentials. The issue affects multiple high-profile Japanese companies and other websites that used the compromised polyfill[.]io CDN service.

Affected organizations have suspended the use of the polyfill[.]io service and advised users not to enter credentials into unexpected login prompts. Website owners should thoroughly remove all remnants of the compromised polyfill[.]io scripts from their sites. Users encountering unexpected authentication prompts on these sites should cancel the prompt and consider changing their passwords if they entered credentials. Patch status is not applicable as this is a supply chain and legacy code removal issue rather than a software vulnerability with a patch. Check vendor advisories for updates and remediation guidance.