The ongoing Polyfill.io supply chain compromise has taken a more dangerous turn, with visitors to the official websites of Toshiba and Japanese retailer Muji now encountering fraudulent login prompts designed to harvest user credentials.
From redirects to credential theft
The malicious pop-up screens, which mimic legitimate sign-in forms, appeared on both companies' websites and are capable of silently collecting usernames and passwords entered by unsuspecting users. This marks a significant escalation in the broader Polyfill.io attack, which had previously been associated primarily with web redirects and scam pages rather than direct credential harvesting.
The Polyfill.io domain — once home to a widely trusted open-source library that provided JavaScript polyfills for older browsers — was acquired by a Chinese company and subsequently weaponised earlier in 2024. Since the compromise, security researchers have documented an ever-expanding wave of malicious payloads delivered through the compromised script, affecting tens of thousands of websites worldwide.
A systemic vulnerability exposed
The Toshiba and Muji incidents underscore an uncomfortable reality for the modern web: even organisations with significant security resources can become unwitting vectors for attacks through third-party JavaScript dependencies. Neither company's own infrastructure was breached — instead, the malicious code was served to visitors simply because their websites loaded scripts from the compromised Polyfill.io domain.
This is precisely the kind of cascading risk that security professionals have long warned about. A single compromised CDN endpoint or third-party library can propagate threats across thousands of sites in an instant, bypassing perimeter defences entirely. For users, the experience is indistinguishable from an attack originating on the website itself — the fake login prompt appears within a trusted domain, making it far more convincing than a typical phishing email.
What website operators should do now
The incident reinforces several critical best practices for web development and security teams:
- Audit all third-party scripts. Organisations should maintain a comprehensive inventory of external JavaScript loaded on their sites and continuously monitor these dependencies for changes.
- Implement Subresource Integrity (SRI). SRI hashes allow browsers to verify that fetched scripts have not been tampered with, providing a technical safeguard against supply chain compromises.
- Minimise external dependencies. Where possible, self-hosting critical libraries reduces exposure to third-party compromises. The original Polyfill.io script can be replaced with locally served versions or removed entirely if polyfill support is no longer needed.
- Monitor for anomalous user-facing elements. Tools that detect unexpected pop-ups, forms, or overlay elements injected into web pages can help identify compromise in real time.
The wider context
The Polyfill.io compromise has become one of the most cited examples of JavaScript supply chain risk in recent memory. Security researchers have noted that the attack surface continues to grow as the compromised script remains embedded in sites that have yet to remove it — a problem compounded by the fact that many developers may not even be aware they are loading the resource.
For the IT community in Hong Kong and beyond, the Toshiba and Muji cases serve as a timely reminder that supply chain security is not a theoretical concern. Organisations relying on third-party JavaScript — whether for analytics, advertising, compatibility, or UI frameworks — should treat dependency management as a core security function, not an afterthought.
BleepingComputer reported the discovery of the fake login prompts on both sites, noting that visitors were advised to refrain from entering any credentials on the suspicious screens.
持續發酵的 Polyfill.io 供應鏈入侵事件正變得更加危險。目前,東芝(Toshiba)官方網站及日本零售商無印良品(Muji)的網站訪客,已開始遭遇旨在竊取用戶憑證的欺詐性登入提示框。
從網頁轉址到憑證竊取
這些模仿合法登入表單的惡意彈出視窗,已出現在兩家公司的網站上,能夠暗中收集毫無戒心的用戶所輸入的使用者名稱與密碼。這標誌著更廣泛的 Polyfill.io 攻擊事件顯著升級,此前該事件主要與網頁轉址及詐騙頁面相關,而非直接竊取憑證。
Polyfill.io 網域——曾是一個廣受信賴的開源程式庫主機,為舊版瀏覽器提供 JavaScript polyfill 功能——已被一家中國公司收購,並於 2024 年初被武器化。自入侵事件發生以來,安全研究人員已記錄到透過被入侵腳本傳遞的惡意載荷不斷擴增,影響全球數以萬計的網站。
暴露出的系統性弱點
東芝與無印良品的事件凸顯了現代網絡一個令人不安的現實:即使擁有顯著安全資源的組織,也可能因第三方 JavaScript 相依性而成為攻擊的非自願載體。兩家公司本身的基礎設施並未被攻破——相反,惡意代碼被提供給訪客,僅僅是因為其網站從已被入侵的 Polyfill.io 網域載入了腳本。
這正是安全專家長期以來所警告的那種級聯風險。單一被入侵的 CDN 端點或第三方程式庫,即可在瞬間將威脅傳播至數千個網站,完全繞過邊界防禦。對用戶而言,這種體驗與源自網站本身的攻擊無法區分——虛假的登入提示出現在受信任的網域內,使其比典型的釣魚電郵更具說服力。
網站營運者現時應採取的行動
此次事件強化了網頁開發與安全團隊的數項關鍵最佳實踐:
- 審計所有第三方腳本。 組織應維護其網站載入的外部 JavaScript 完整清單,並持續監控這些相依性的變更。
- 實施子資源完整性(SRI)。 SRI 雜湊值允許瀏覽器驗證已取得的腳本是否遭到篡改,為供應鏈入侵提供技術保障。
- 盡量減少外部相依性。 在可能的情況下,自行託管關鍵程式庫可降低暴露於第三方入侵的風險。原始的 Polyfill.io 腳本可以本地服務版本取代,若不再需要 polyfill 支援,亦可完全移除。
- 監控異常的用戶介面元素。 能夠偵測網頁中被注入的意外彈出視窗、表單或覆蓋元素的工具,有助於即時識別入侵。
更廣泛的背景
Polyfill.io 入侵事件已成為近期最常被引用的 JavaScript 供應鏈風險案例之一。安全研究人員指出,由於被入侵的腳本仍嵌入於尚未移除它的網站中,攻擊面持續擴大——而許多開發人員可能甚至不知道自己正在載入該資源,這使問題更加複雜。
對香港及全球的 IT 社群而言,東芝與無印良品的案例是一個及時的提醒:供應鏈安全並非理論上的顧慮。組織若依賴第三方 JavaScript——無論用於分析、廣告、相容性或使用者介面框架——都應將相依性管理視為核心安全職能,而非事後考量。
BleepingComputer 報導了在兩個網站上發現虛假登入提示的消息,並指出建議訪客切勿在可疑介面上輸入任何憑證。