Tech giant Toshiba and retailer Muji said suspicious sign-in screens appeared on parts of their websites in Japan this week, raising concerns that visitors could enter credentials into rogue forms linked to the polyfill.io service.
KEY FACTS
- Companies affected Toshiba and Muji warned site visitors about the prompts.
- User advice People who entered login data were told to change passwords.
- Technical cause The screens came from the external service hosted at polyfill.io.
- Scope Japanese reports said other firms and Samsung Smart TVs were also affected.
Toshiba said some parts of its site may show a sign-in screen and told users to select Cancel without entering any information. Muji issued a similar notice and said it had not confirmed unauthorized access or information leakage to its site.
The issue followed earlier problems with polyfill.io, a JavaScript CDN used to support legacy browsers. In 2024, the domain was associated with malicious code, and the service was later moved to new domains after the original address expired.
A technical analysis by Pasquale Pillitteri said the polyfill.io domain became active again in late May 2026 and began returning HTTP 401 authentication requests. Browsers can interpret that response as a request for credentials, which triggers a login prompt.
Japanese media said Zojirushi, FiNC Technologies, Ishiyaku Publishers and the Hobonichi publishing brand were also impacted. Reports also said Samsung Smart TVs and websites showed similar prompts on June 1.
Both Toshiba and Muji said they resolved the issue and suspended the service. There is no indication so far that the affected websites were hacked or that credentials entered into the prompts were stolen.
WHY IT MATTERS
The incident shows how an external web service can create confusing login prompts that look legitimate to visitors. Users who see an unexpected authentication screen on a trusted site should avoid entering information until they verify the prompt.