Visitors to the websites of well-known brands including Toshiba and Muji are encountering suspicious login prompts that shouldn’t be there. The culprit is a compromised version of a JavaScript helper library called polyfill.io. The legitimate polyfill service was sold in 2024 and its new operator began injecting malicious code into thousands of websites that still load the library. That code is now popping up fake login windows — designed to steal the username and password of anyone who types into them.
This is a supply chain attack: the websites themselves were not directly hacked, but a shared piece of code they all depend on was tampered with. If you visited one of these sites and saw an unexpected popup asking you to log in, do not enter your credentials — and if you already did, change your password immediately.
How to check if you’re affected
Affected products include any website still loading scripts from the polyfill.io domain. As a visitor, you can spot the attack by:
- Unexpected login popups: If a site you are visiting shows a login dialog you didn’t ask for — especially one that appears over the main page rather than on a dedicated login page — close it without entering anything.
- Recently visited Toshiba or Muji: If you used toshiba.com or muji.com in the last few days and entered a password in a popup, change that password now and on any other site where you reuse it.
- Password manager protection: A good password manager will only auto-fill credentials on the exact domain you saved them for. If it refuses to fill in a popup, that’s a warning sign the form is not legitimate.