The polyfill[.]io CDN domain reactivated in late May 2026 and began serving HTTP 401 responses that trigger browser-native credential prompt dialogs on any site still loading scripts from the domain. No patch exists; removal of the dependency is the only fix. Confirmed affected sites include Toshiba, Muji, Samsung Smart TV portal, and others. This campaign is a direct consequence of the 2024 compromise that was widely publicized; organizations still referencing polyfill[.]io two years later face an avoidable and immediate credential-harvesting exposure.