### Major Brands Flag Rogue Authentication Screens Users visiting the websites of prominent Japanese companies **Toshiba** and **Muji** have been met with unusual login pop-ups. Both companies swiftly advised customers who might have entered their credentials into these suspicious screens to immediately change their passwords for the affected services. "We have confirmed that some parts of our website may display a sign-in screen like the one shown below. We are currently working to eliminate this screen, but if you do see it, please select 'Cancel' without entering any information," **Toshiba** stated in an official communication.  **Muji** published a similar alert, urging caution. While neither company has confirmed unauthorized access or information leakage, they emphasized the importance of customer safety. Both **Toshiba** and **Muji** have since resolved the immediate issue by suspending the problematic service integration. ### The Polyfill.io Resurgence: A Persistent Threat The root cause of these rogue login prompts lies with the external service hosted at **polyfill[.]io**. This domain has a contentious history, having been implicated in a 2024 incident where it introduced malicious code into scripts delivered via its Content Delivery Network (CDN). **Polyfill** is an open-source JavaScript CDN designed to provide compatibility layers, allowing modern websites to function correctly on older browsers. The original project's creator, **Andrew Betts**, never owned the **polyfill[.]io** domain. When the domain expired, it was acquired by a Chinese entity, leading to the 2024 malicious script injection that affected over 100,000 websites. While **Betts** publicly recommended removing the service and subsequently relaunched the CDN at polyfill.com, many websites failed to fully purge the old **polyfill[.]io** references from their codebases. Security researcher **Pasquale Pillitteri** reported that, starting in late May 2026, the **polyfill[.]io** domain became active once more. This time, instead of injecting malicious scripts directly, it began responding with HTTP 401 authentication requests. User browsers interpret these 401 responses as legitimate requests for a username and password, consequently displaying a system-level login prompt. This mechanism tricks users into potentially divulging their credentials, even though the prompt originates from a third-party script rather than the legitimate website. ### Widespread Impact and Ongoing Vigilance Beyond **Toshiba** and **Muji**, Japanese media outlets have reported that other entities, including **Zojirushi**, **FiNC Technologies**, **Ishiyaku Publishers**, and online publishing brand **Hobonichi**, were also affected. **Pillitteri** further noted that **Samsung Smart TVs** and associated websites displayed similar login prompts around June 1st. At present, there is no confirmed evidence that credentials entered into these rogue screens have been stolen. However, the potential for credential harvesting is significant. This incident serves as a critical reminder for IT security professionals and privacy-conscious users alike to exercise extreme caution regarding unexpected authentication prompts, especially those that appear out of context or without explicit user action. Organizations must ensure thorough audits of third-party script integrations and maintain vigilance against dormant, potentially compromised domains that can reactivate and pose new threats.