browser

Google Chrome Silently Installs a 4 GB AI Model on Your Device Without Consent. At a Billion-Device Scale the Climate Costs Are Insane.

Google Chrome silently installs a 4 GB on-device AI model called Gemini Nano without user consent, writing it to users' devices as part of default AI features, then re-downloads it if deleted. This practice breaches European privacy laws (ePrivacy Directive and GDPR), lacks transparency, and generates significant environmental impact, with potential carbon emissions in the tens of thousands of tonnes when aggregated globally due to bandwidth and energy usage at Chrome's scale.

https://www.thatprivacyguy.com/blog/chrome-silent-nano-install/

Microsoft Edge Stores Passwords in Process Memory, Posing Risk

Security researcher Tom Jøran Sønstebyseter Rønning revealed that Microsoft Edge stores all saved passwords in cleartext in process memory, even when sites are not actively visited, allowing anyone with administrative privileges to extract these passwords and potentially escalate attacks within corporate environments. Microsoft considers this behavior “by design,” citing trade-offs between performance, usability, and security, but experts warn it poses significant risks, especially in shared or virtualized settings, and recommend organizations limit reliance on browsers for password storage and enforce strict access controls.

https://www.darkreading.com/cyber-risk/microsoft-edge-passwords-enterprise-risk

We Found a Stable Firefox Identifier Linking All Your Private Tor Identities

Researchers discovered a privacy vulnerability in Firefox-based browsers whereby the order of IndexedDB databases returned by the indexedDB.databases() API serves as a stable, process-scoped identifier. This allows unrelated websites to link user activity across origins and defeats privacy features in Firefox Private Browsing and Tor Browser, including Tor's “New Identity” function, by exposing a deterministic fingerprint until the browser process restarts. Mozilla has released a fix that canonicalizes the database order to eliminate this leakage and restore expected privacy guarantees.

https://fingerprint.com/blog/firefox-tor-indexeddb-privacy-vulnerability/

The Silent “Storm”: New Infostealer Hijacks Sessions, Decrypts Server-Side

A new infostealer named Storm, emerging in early 2026, steals browser credentials, session cookies, crypto wallets, and more by sending encrypted data to attackers' servers for decryption instead of decrypting locally, evading endpoint security detection. Storm automates session hijacking by restoring authenticated sessions remotely, enabling attackers to access SaaS platforms and cloud environments without triggering password alerts, and it is sold via tiered subscriptions on cybercrime forums.

https://www.bleepingcomputer.com/news/security/the-silent-storm-new-infostealer-hijacks-sessions-decrypts-server-side/

Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model

Anthropic identified 22 vulnerabilities in Firefox using its AI model, Claude Opus 4.6. Among these, 14 are high severity, discovering a significant number of issues addressed in Firefox 148. The model's efficiency in finding issues, compared to creating exploits, raises security concerns, highlighting AI's role in enhancing browser security. Mozilla reported additional vulnerabilities found through this collaboration, showcasing the benefits of AI-assisted analysis for continuous improvement in security.

https://thehackernews.com/2026/03/anthropic-finds-22-firefox.html

Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History

Malicious Chrome extensions, including CL Suite, are stealing sensitive data from Meta Business Suite users. These extensions exfiltrate TOTP codes, Business Manager analytics, and contact lists to attackers' servers. Other threats include over 500,000 VKontakte account hijackings and 32 AI-themed extensions that siphon user credentials. These attacks emphasize the growing misuse of browser extensions for data theft, prompting recommendations for cautious installation practices and regular audits.

https://thehackernews.com/2026/02/malicious-chrome-extensions-caught.html

New Clickfix Variant ‘CrashFix’ Deploying Python Remote Access Trojan

New Clickfix variant ‘CrashFix' uses social engineering to deploy Python Remote Access Trojan. It disrupts browsers, luring users into executing malicious commands after a deceptive browser extension installation. Attackers exploit native OS utilities to bypass defenses, emphasizing the need for behavior-based detection and user awareness. The model connects to C2 servers to gather information and maintain future access, highlighting evolving attack techniques. Organizations are urged to enable cloud protection and restrict unnecessary outbound access to mitigate risks.

https://www.microsoft.com/en-us/security/blog/2026/02/05/clickfix-variant-crashfix-deploying-python-rat-trojan/

Stanley — a $6,000 Russian Malware Toolkit With Chrome Web Store Guarantee

Varonis Threat Labs reveals “Stanley,” a $6,000 Russian malware toolkit that spoofs websites as a Chrome extension, guaranteeing Google Store approval. It employs aggressive tactics, targeting users through email compromises and Chrome notifications. The toolkit's capabilities include detailed user tracking, phishing page overlays, and backup protocol for command and control operations. Despite its visible faults, it capitalizes on browser vulnerabilities, posing significant risks until marketplace policies improve.

https://www.varonis.com/blog/stanley-malware-kit

Firefox Joins Chrome and Edge as Sleeper Extensions Spy on Users

Malicious browser extensions, including ShadyPanda and GhostPoster, have been found to spy on users across Firefox, Chrome, and Edge. These extensions behaved normally for years before switching to spyware after updates, leveraging techniques like steganography to hide malicious code. Seventeen affected extensions have over 840,000 downloads. Users are advised to uninstall any suspicious extensions and conduct a Malwarebytes Deep Scan to check for infections.

https://www.malwarebytes.com/blog/news/2026/01/firefox-joins-chrome-and-edge-as-sleeper-extensions-spy-on-users

Malicious GhostPoster Browser Extensions Found With 840,000 Installs

17 malicious GhostPoster browser extensions found in Chrome, Firefox, and Edge have accumulated 840,000 installs, employing hidden JavaScript for tracking, ad fraud, and backdoor access. These extensions, initially reported in December, include popular ones like “Google Translate in Right Click” and “Ads Block Ultimate.” They originated on Microsoft Edge and spread to other browsers, with some active since 2020. Recent variants show advanced evasion tactics, but affected users remain at risk even after removals from stores.

https://www.bleepingcomputer.com/news/security/malicious-ghostposter-browser-extensions-found-with-840-000-installs/

Trust Wallet Links $8.5 Million Crypto Theft to Shai-Hulud NPM Attack

Trust Wallet links $8.5M crypto theft to November's Shai-Hulud NPM attack, where an exploit of their Chrome extension enabled unauthorized access to over 2,500 wallets. Attackers used stolen GitHub secrets to inject malicious code into the browser extension's update. Trust Wallet has since revoked API access and started compensating affected users while repelling ongoing impersonation scams. The Shai-Hulud malware campaign compromised numerous npm packages, exposing 400,000 developer secrets.

https://www.bleepingcomputer.com/news/security/trust-wallet-links-85-million-crypto-theft-to-shai-hulud-npm-attack/

Trust Wallet Confirms Extension Hack Led to $7 Million Crypto Theft

Trust Wallet's Chrome extension was hacked on December 24, leading to $7 million in stolen cryptocurrency. Users reported wallet drain incidents post-update. Trust Wallet confirmed the issue and released a security patch (version 2.69) to resolve it, advising users to update immediately. A phishing campaign targeting affected users also emerged, prompting Trust Wallet to warn about compromised domains. Users should refrain from using version 2.68 and secure their funds by moving them to new wallets.

https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/

OpenAI Says AI Browsers May Always Be Vulnerable to Prompt Injection Attacks

OpenAI acknowledges AI browsers, like its Atlas, are perpetually at risk of prompt injection attacks, which manipulate AI to execute hidden malicious instructions. Despite efforts to enhance security, including a reinforcement learning-based automated attacker to identify flaws, prompt injections may never be fully mitigated, raising concerns about the safety of AI operation on the web. Ongoing layered defenses and user caution are recommended, yet the high access risk of these browsers poses a significant challenge.

https://techcrunch.com/2025/12/22/openai-says-ai-browsers-may-always-be-vulnerable-to-prompt-injection-attacks/

Two Chrome Flaws Could Be Triggered by Simply Browsing the Web: Update Now

Google has issued an unscheduled Chrome update to fix two serious vulnerabilities, CVE-2025-14765 in WebGPU and CVE-2025-14766 in the V8 JavaScript engine, that can be triggered remotely when users load maliciously crafted web pages. Because Chrome has billions of users, these flaws are high-value targets for attackers, and users are strongly urged to update immediately to version 143.0.7499.146/.147 on Windows and macOS or 143.0.7499.146 on Linux. The piece provides simple update instructions (using Chrome’s About page or automatic updates) and briefly explains that one bug is a use-after-free in WebGPU, leading to potential heap corruption, while the other is an out-of-bounds read/write in V8 that can allow attackers to access or modify memory and potentially run code with elevated permissions. The core message is that users should not delay restarting and updating Chrome, since merely browsing the web could expose them to attacks until the patch is applied.

https://www.malwarebytes.com/blog/news/2025/12/two-chrome-flaws-could-be-triggered-by-simply-browsing-the-web-update-now

HTTPS Certificate Industry Phasing Out Less Secure Domain Validation Methods

Google is phasing out less secure domain validation methods for HTTPS certificates to enhance internet security. This involves retiring 11 outdated validation practices like email and phone-based verifications, which are vulnerable to attacks. The transition will be gradual, fully implemented by March 2028. The goal is to adopt stronger, automated validation methods that ensure certificates are issued only to legitimate domain owners, ultimately making the web safer for all users.

https://security.googleblog.com/2025/12/https-certificate-industry-phasing-out.html

Scroll to Top