The digital landscape is once again facing a familiar yet resurgent threat. In early June 2026, tech giant Toshiba and retail powerhouse Muji issued urgent warnings to their users about suspicious login prompts appearing on their websites. This alarming development is tied to the resurgence of the attack, a malicious campaign that initially surfaced in 2026.
The unexpected login prompts were traced back to the domain, which had been dormant since its initial compromise. The domain, once a trusted JavaScript CDN for legacy browser support, was hijacked in 2026 and laced with malicious scripts. Despite efforts to mitigate the threat, remnants of the compromised code remained embedded in numerous websites, leaving them vulnerable to this resurgence.
Toshiba and Muji’s Response to the Resurgent Threat
Both Toshiba and Muji took swift action to address the issue. Toshiba advised its users to avoid entering any information into the suspicious login screens and to select ‘Cancel’ if encountered. Muji, similarly, urged customers to be cautious and consider their response if they came across the unexpected prompts. Both companies have since suspended the service on their sites to prevent further exposure.
The impact of this resurgent threat extends beyond Toshiba and Muji. Japanese media reports identified several other affected brands, including ZojirushiFiNC TechnologiesIshiyaku Publishersand Hobonichi. Additionally, security researcher Pasquale Pillitteri reported that Samsung Smart TV websites were also displaying the rogue login prompts as recently as June 1, 2026.
The Mechanics Behind the Attack
To understand the mechanics of this attack, it’s essential to grasp the role of polyfill scripts. Polyfill is a JavaScript compatibility layer that allows modern websites to function on older browsers. The CDN served these scripts, enabling site owners to add a simple script tag referencing for seamless delivery. However, the domain was never owned by the creator of the open-source project, Andrew Bettsmaking it vulnerable to hijacking.
In 2026, the domain was acquired by a malicious entity, which injected harmful scripts into the CDN, affecting over 100,000 websites. Betts promptly distanced himself from the compromised domain and launched clean alternatives at and later polyfill.top. Despite these efforts, many websites failed to remove all instances of the script, leaving them exposed to the resurgent threat in 2026.
In late May 2026, the domain became active again, responding with HTTP 401 authentication requests. Browsers interpret these requests as a need for a username and password, thereby displaying a login prompt. This deceptive tactic tricks users into entering their credentials, potentially handing them over to the malicious actors controlling the domain.
The Broader Implications and Precautionary Measures
The resurgence of the attack highlights the persistent risks associated with third-party JavaScript dependencies. The incident serves as a stark reminder of the importance of regular audits and the removal of outdated or compromised scripts. Development and security teams are urged to conduct thorough audits of every external script reference across their entire sites, ensuring that no remnants of the code remain.
At present, there is no confirmed evidence of credential theft. However, users who entered their login details into the suspicious prompts are strongly advised to change their passwords immediately and enable two-factor authentication as an added layer of security. Both Toshiba and Muji have emphasized the importance of these precautionary measures to safeguard user accounts.
The attack saga underscores the critical need for vigilance in the digital realm. As the web continues to evolve, so too do the threats that lurk within its infrastructure. By staying informed and proactive, users and organizations can better protect themselves against such insidious attacks.
