Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cdn (2 articles)Clear

Polyfill.io resurfaces, injecting fake login prompts on Toshiba and Muji sites

Toshiba and Muji have warned website visitors that suspicious sign-in screens appearing on their sites could harvest credentials, advising anyone who entered login data to change their passwords. The pop-ups were generated by the external polyfill[.]io service, which injected malicious code via its CDN after the domain was bought by a Chinese entity in 2024 - an incident that affected more than 100,000 websites. Japanese outlets report Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi were also hit, and a researcher observed Samsung Smart TVs and sites showing the prompt on June 1. Polyfill is a JavaScript compatibility CDN for legacy browsers; affected sites should remove all polyfill[.]io references immediately.

Check
Grep your web properties and third-party tags for any references to polyfill[.]io (scripts, CDN links, GTM containers). Check Samsung/IoT and legacy-browser-support code paths. Review recent customer credential-reset reports.
Affected
Any website still loading scripts from polyfill[.]io - the CDN compromised in 2024 and now serving credential-harvesting login prompts. Toshiba, Muji, Samsung Smart TVs, and several Japanese brands were hit.
Fix
Remove all polyfill[.]io references immediately and replace with a trusted fork (e.g. Cloudflare or Fastly mirrors). Force-reset credentials for any users who may have entered them into injected prompts.

Underminr domain-fronting attack hijacks brand reputations via CDN trust - 42% of websites globally, 51% in US, vulnerable

ADAMnetworks researchers have disclosed Underminr, a domain-fronting attack that abuses how major content delivery networks resolve HTTP requests, letting an attacker route malicious traffic so it appears to come from trusted brand domains. Protective DNS filters see the DNS lookup for the legitimate site and wave it through. ADAMnetworks estimates 42% of websites globally are vulnerable, 51% in the US, around one-third in Eastern Europe, and under 9% in China's heavily-regulated internet. The researchers say attackers are already using the technique. Boutique security-focused CDNs that perform domain verification are not vulnerable; the larger general-purpose providers carry most of the exposure.

Check
Inventory CDN providers and check whether each performs domain verification (validates Host header at edge). Search egress logs for traffic resolving a trusted domain but landing on attacker infrastructure.
Affected
Roughly 42% of websites worldwide, 51% in the US, hosted on CDNs that do not perform strict Host-header verification. Boutique CDNs that verify ownership are not vulnerable.
Fix
Move sensitive properties to CDNs that perform strict domain verification. Audit Protective DNS allowlists and pair them with TLS SNI or HTTP-Host inspection downstream. Treat domain-only allowlists as weak.