Hijacked polyfill[.]io domain reactivates with HTTP 401 credential prompts

incident · item:polyfill-io-domain-reactivates-http-401-credential-prompts

Coverage timeline

first 2026-06-07 → last 2026-06-07

Briefs

1 distinct

Sources cited

10 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-06-07CTI Daily Brief — 2026-06-07
active_threatsFirst coverage. 2024-hijacked polyfill[.]io CDN domain reactivated, throwing HTTP 401 → native browser credential prompts on sites with residual script tags; Toshiba/Muji public warnings. Distinct from 2024 JS-injection attack.

Where this entity is cited

active_threats1

Source distribution

attack.mitre.org3 (23%)
isc.sans.edu2 (15%)
bleepingcomputer.com1 (8%)
global.toshiba1 (8%)
krebsonsecurity.com1 (8%)
socket.dev1 (8%)
stepsecurity.io1 (8%)
techcrunch.com1 (8%)
other2 (15%)

Related entities

Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1

All cited sources (13)

Items in briefs about Hijacked polyfill[.]io domain reactivates with HTTP 401 credential prompts (1)

Hijacked polyfill[.]io domain reactivates, surfacing native browser credential prompts on sites that never removed legacy script tags

From CTI Daily Brief — 2026-06-07 · published 2026-06-07 · view item permalink →

The polyfill[.]io CDN domain — seized and weaponised in the June 2024 supply-chain attack that affected more than 100,000 sites — became active again in late May 2026 and began answering with HTTP 401 authentication challenges, which browsers render as native credential dialog boxes (BleepingComputer, 2026-06-05). Any site still loading a <script src="…polyfill[.]io…"> tag — a failure documented across many organisations since 2024 — now prompts visitors for credentials in a dialog that appears to originate from the trusted site. Toshiba published a warning on 2026-06-02 telling users to click Cancel without entering anything (Toshiba, 2026-06-02); Muji issued a parallel notice stating it had not confirmed unauthorised access or data leakage (BleepingComputer, 2026-06-05). This is mechanically distinct from the 2024 redirect-to-malicious-JavaScript attack: the harm here is HTTP-401-induced credential phishing, not script injection, so neither party has confirmed exfiltration — but both advised affected users to change passwords. Maps to T1195.002 (Compromise Software Supply Chain). Why it matters to us: The exposure is entirely a function of stale third-party references, which most organisations underestimate. Grep all rendered HTML, CMS templates, and CDN-inclusion lists for polyfill[.]io with any subdomain or path; replace with the legitimate polyfill.com / polyfill.top mirrors or self-hosted polyfills, and enforce Subresource Integrity (SRI) on all third-party scripts. Web-proxy/SWG logs showing 401 responses from polyfill[.]io pinpoint pages that still load the script.