Full Report
Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials. [...]
Analysis Summary
# Incident Report: Supply Chain Compromise via Polyfill[.]io Redirection
## Executive Summary
In late May and early June 2026, several high-profile Japanese organizations, including Toshiba and Muji, experienced a resurgence of the Polyfill supply chain incident. Malicious scripts hosted on the compromised polyfill[.]io domain injected rogue HTTP 401 authentication prompts on legitimate websites to harvest user credentials. While impact was mitigated by the suspension of the service on affected sites, the incident highlights the long-term risks of "zombie" third-party dependencies.
## Incident Details
- **Discovery Date:** June 1–2, 2026
- **Incident Date:** Late May 2026 – June 5, 2026
- **Affected Organizations:** Toshiba, Muji, Zojirushi, FiNC Technologies, Ishiyaku Publishers, Hobonichi, and Samsung (Smart TVs)
- **Sector:** Technology, Retail, Manufacturing, Publishing
- **Geography:** Primarily Japan; Global (via Samsung Smart TVs)
## Timeline of Events
### Initial Access
- **Date/Time:** Late May 2026
- **Vector:** Supply Chain / Third-party Dependency
- **Details:** The domain polyfill[.]io, previously flagged for malicious activity in 2024, became active again and began delivering scripts to websites that had failed to remove the legacy code.
### Lateral Movement
- **Details:** N/A – The attack utilized client-side script injection via a Content Delivery Network (CDN) rather than movement through internal corporate networks.
### Data Exfiltration/Impact
- **Details:** The malicious scripts triggered HTTP 401 authentication requests. This caused browsers to display a native "Sign-In" pop-up. Any credentials entered by users were sent to the attacker-controlled polyfill[.]io domain.
### Detection & Response
- **How it was discovered:** User reports of suspicious login prompts on non-authenticated pages and monitoring by security researcher Pasquale Pillitteri.
- **Response actions taken:** Affected companies (Toshiba/Muji) issued public warnings, advised password resets for affected users, and removed the offending Polyfill code from their web environments.
## Attack Methodology
- **Initial Access:** Exploitation of a trusted third-party domain (polyfill[.]io) that was previously sold to a malicious entity.
- **Persistence:** Dependency persistence; the malicious code remained embedded in the source code of thousands of websites that neglected to "clean" their sites after the initial 2024 incident.
- **Credential Access:** Phishing/Social Engineering via rogue HTTP 401 basic authentication prompts.
- **Impact:** Credential theft and brand reputational damage.
## Impact Assessment
- **Financial:** Undisclosed; costs associated with incident response and potential customer support.
- **Data Breach:** Potential theft of user login credentials for retail and corporate portals.
- **Operational:** Temporary suspension of specific web services and emergency site maintenance.
- **Reputational:** Public warnings required from "Tech giants" regarding the safety of their platforms.
## Indicators of Compromise
- **Domain:** polyfill[.]io (and associated subdomains)
- **Behavioral:** Unexpected browser-native authentication prompts appearing on public-facing pages that do not usually require a login.
## Response Actions
- **Containment:** Removal of `<script>` tags referencing polyfill[.]io from all web directories.
- **Eradication:** Identification of legacy code "remnants" on deep-link pages.
- **Recovery:** Public advisories and forced password resets for users suspected of interacting with the prompts.
## Lessons Learned
- **Dependency Rot:** Organizations failed to fully audit and remove a known-malicious dependency after the initial 2024 alert, leaving a "time bomb" in their code.
- **Asset Inventory:** Large organizations lacked a centralized view of all pages using third-party CDNs, leading to incomplete remediation.
- **Supply Chain Fragility:** Dependence on domains not owned by original developers creates a significant point of failure if the domain ownership changes.
## Recommendations
- **Immediate:** Audit all web properties for references to `polyfill[.]io` and replace them with secure alternatives (e.g., Cloudflare’s mirror or self-hosting).
- **Policy:** Implement Content Security Policy (CSP) headers to restrict which domains can execute scripts on company websites.
- **Monitoring:** Deploy Integrity Monitoring or Subresource Integrity (SRI) hashes to ensure third-party scripts have not been altered.
- **Strategic:** Adopt a "Zero Trust" approach to third-party CDNs; favor self-hosting critical JavaScript libraries whenever possible.