Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials.

Both Japanese companies advised users who entered their account login data in the authentication screens to change their passwords to access the service.

The login pop-ups were generated by the external service hosted at polyfill[.]io, which in 2024 introduced malicious code in scripts delivered by its CDN.

“We have confirmed that some parts of our website may display a sign-in screen like the one shown below. We are currently working to eliminate this screen, but if you do see it, please select "Cancel" without entering any information," Toshiba said in a short communication.

Japanese retail giant Muji published a similar announcement earlier this week, warning website visitors of suspicious authentication screens generated by the external service polyfill[.]io.

“At this time, we have not confirmed any unauthorized access or information leakage to this site, but in order to ensure the safety of our customers, we ask that you consider your response,” Muji states.

Both Toshiba and Muji have solved the issue and suspended the service.

Japanese media outlets reported that Zojirushi, FiNC Technologies, Ishiyaku Publishers, and online publishing brand Hobonichi were also impacted by the same issue.

Security researcher Pasquale Pillitteri says that Samsung Smart TVs and websites also displayed a login prompt on June 1.

Some reports claim that the problem was caused by the polyfill[.]io incident in 2024, when the domain was purchased by a Chinese entity and added malicious scripts that impacted more than 100,000 websites using the Polyfill service.

Polyfill is a JavaScript CDN for  legacy browsers, allowing modern sites to run on them by providing a compatibility layer for unsupported technologies.

The Polyfill code was delivered via a CDN at polyfill[.io], although the domain was not owned by the creator of the open source project, Andrew Betts. As such, when the domain expired, it could be claimed by anyone.

At the time, Betts responded publicly by recommending that website owners remove the service from their sites, and relaunched the JavaScript CDN service at a new domain, polyfill.com, and later settled at polyfill.top.

While the deactivation of the service at polyfill[.]io stopped the redirections, some sites using the service failed to clean all their pages over the past two years, so remnants of Polyfill code remained.

Pillitteri reports that, starting in late May 2026, the polyfill[.]io domain became active again and started responding with HTTP 401 authentication requests.

User browsers visiting pages such as Toshiba’s and MUJI’s interpret that as a request for a username and password, so they serve a login prompt.

At the moment, there is no indication that impacted websites were hacked or that credentials entered on these rogue login screens were stolen. However, users are strongly recommended to be cautious about unexpected authentication prompts.