The polyfill.io Sign-In Phishing Incident on janert.me

For a brief time, starting after 01 June 2026 (when there was no apparent problem) and 18 June 2026 (when the problem first came to my attention), visitors to this site were faced with a spurious “Sign-In” pop-up, identifying itself as “polyfill.io”.

This was a (late) consequence of the 2024 polyfill.io supply chain attack. If, by chance, you entered any credentials, you may want to change them where necessary.

The content and hosting of this site was (to my knowledge) never compromised.

This site has been using MathJax, Version 3, to render mathematical symbols and equations. At the time the templating infrastructure for this site was created (mid 2022), the recommended way to include MathJax on a webpage (according to the MathJax documentation) also included a link to polyfill.io.

The relevant parts of the templates have now been updated and are (as of now) using MathJax, Version 4, without a reference to polyfill.io.

The polyfill.io domain was taken over by a malicious actor in 2024. Sometime in early June 2026, changes were apparently made to the code hosted there, giving rise to a sign-in pop-up phishing attack. More details on Bleeping Computer or Gridinsoft.

Any links to polyfill.io have now been removed from this site. The site’s content was (to my knowledge) never compromised.

But should you have entered any credentials at the spurious sign-in pop-up, then you should change them were necessary as soon as possible.