Toshiba and Muji Websites Compromised by Malicious CDN Scripts
AI-generated from multiple sources. Verify before acting on this reporting.
TOKYO (AP) — Japanese electronics giant Toshiba and lifestyle retailer Muji faced a cybersecurity breach on Wednesday after malicious scripts embedded in a third-party content delivery network began generating fraudulent login prompts on their websites.
The incident, detected on June 5, 2026, involved the polyfill.io service, a widely used platform that delivers JavaScript libraries to web developers. Security researchers identified that code introduced into the polyfill.io system in 2024 remained dormant until late May 2026, when it was reactivated to intercept user credentials.
Visitors to the Toshiba and Muji websites encountered pop-up windows mimicking official authentication requests. The prompts asked users to enter usernames and passwords, which were then transmitted to unauthorized servers. Both companies confirmed the presence of the suspicious activity and immediately took steps to mitigate the threat.
Toshiba stated that it had identified the intrusion and removed the compromised scripts from its systems. The company advised users who logged in during the affected period to change their passwords and monitor their accounts for unauthorized activity. Muji issued a similar warning, urging customers to remain vigilant and report any suspicious communications.
The polyfill.io service, which provides essential coding tools for web development, has been a critical component for thousands of websites globally. The breach highlights the risks associated with relying on external content delivery networks, where a single compromised script can affect multiple high-profile domains.
Cybersecurity experts noted that the malicious code was sophisticated, designed to evade detection by remaining inactive for over a year before activation. The delay suggests a coordinated effort to exploit the trust users place in established brands.
Both Toshiba and Muji are cooperating with Japanese authorities to investigate the scope of the breach. Law enforcement agencies are examining whether user data was exfiltrated and identifying the perpetrators behind the attack.
The incident raises questions about the security protocols of third-party services used by major corporations. While polyfill.io has not issued a public statement regarding the breach, the company’s role in delivering the compromised scripts remains central to the investigation.
Users are advised to enable two-factor authentication on their accounts and avoid entering credentials on any unexpected prompts. As the investigation continues, authorities are working to determine if other websites using polyfill.io were similarly affected.
The breach underscores the growing complexity of cyber threats targeting supply chains and third-party vendors. Companies are increasingly scrutinizing the security of external services integrated into their digital infrastructure.
Further details on the extent of the data compromise are expected as the investigation progresses.