Executive Summary
In early June 2026, Toshiba and Muji reported unauthorized login prompts appearing on their websites, potentially compromising user credentials. These prompts were linked to the external service polyfill.io, which had previously introduced malicious code in 2024. Both companies advised users who entered their credentials to change their passwords immediately. The issue has since been resolved, with the affected service suspended.
This incident underscores the persistent risks associated with third-party services and the importance of regular security audits. Organizations must remain vigilant, especially when integrating external code, to prevent similar vulnerabilities.
Why This Matters Now
The resurgence of malicious activity through polyfill.io highlights the ongoing threat posed by compromised third-party services. Organizations must prioritize the security of external integrations to safeguard user data and maintain trust.
Attack Path Analysis
In 2024, the Polyfill.io domain was acquired by a Chinese company, leading to the injection of malicious JavaScript into numerous websites. This compromised code displayed unauthorized login prompts on sites like Toshiba and Muji, potentially harvesting user credentials. The attack exploited the trust in a widely-used JavaScript library, affecting over 100,000 websites. Organizations were forced to remove the compromised service to mitigate the threat.
Kill Chain Progression
Initial Compromise
Description
The Polyfill.io domain was acquired by a Chinese company, which began injecting malicious JavaScript into the service.
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Compromise Software Dependencies and Development Tools
HTML Smuggling
Command and Scripting Interpreter: JavaScript
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Supply Chain Risk Management
Control ID: 3.1
NIS2 Directive – Security of Network and Information Systems
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Consumer Electronics
Toshiba and Samsung Smart TV incidents demonstrate critical supply-chain vulnerabilities in embedded systems requiring enhanced egress security and threat detection capabilities.
Retail Industry
Muji and other retailers face credential harvesting risks from compromised CDN services, necessitating zero trust segmentation and multicloud visibility controls.
Computer Software/Engineering
Polyfill CDN compromise highlights JavaScript supply-chain attacks targeting legacy browser compatibility, requiring inline IPS and cloud firewall protection mechanisms.
Internet
Web service providers using third-party CDNs face authentication bypass threats, demanding encrypted traffic monitoring and anomaly detection for suspicious login prompts.
Sources
- Suspicious Polyfill login prompts pop up on Toshiba, Muji websiteshttps://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/Verified
- Over 100,000 websites compromised after Polyfill.io gets exploited by Chinese companyhttps://www.techspot.com/news/103566-polyfillio-domain-acquired-chinese-company-abused-embed-malicious.htmlVerified
- Why you need to remove the Polyfill.io script from your websitehttps://www.kaspersky.com/blog/polyfill-io-service-supply-chain-attacks/51635/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit implicit trust within cloud environments, thereby reducing the blast radius of the compromise.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The malicious JavaScript injection could have been constrained, limiting the initial compromise's effectiveness.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the potential for unauthorized actions.
Control: East-West Traffic Security
Mitigation: The spread of malicious code across websites could have been constrained, limiting lateral movement.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels could have been limited, reducing data exfiltration risks.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of user credentials could have been constrained, reducing data loss.
The overall impact of the attack could have been limited, reducing the extent of credential theft and maintaining trust in affected websites.
Impact at a Glance
Affected Business Functions
- E-commerce Platform
- Customer Account Management
- Online Customer Support
Estimated downtime: 2 days
Estimated loss: $50,000
Potential exposure of customer login credentials due to unauthorized login prompts.
Recommended Actions
Key Takeaways & Next Steps
- • Implement supply chain security measures to vet third-party services and libraries.
- • Regularly audit and monitor external dependencies for unauthorized changes.
- • Deploy Content Security Policy (CSP) headers to restrict the execution of untrusted scripts.
- • Educate users to recognize and report suspicious login prompts or unexpected authentication requests.
- • Establish incident response plans to quickly address and mitigate supply chain attacks.
