All news with #browser security tag

🔍 Koi Security links three coordinated browser-extension campaigns — ShadyPanda, GhostPoster, and DarkSpectre — to a Chinese threat actor that collectively compromised millions of users across Chrome, Edge, Opera, and Firefox. The attacks combine affiliate-link hijacking, ad and click fraud, time-delayed logic bombs, and a targeted Zoom Stealer component that exfiltrates meeting links, credentials, and participant data. Many add-ons behaved legitimately for years before being weaponized via malicious updates.

🌿 Wave Browser combines an efficient, modern browsing experience with verified environmental action through a partnership with 4ocean and adherence to AppEsteem standards. Built-in ad blocking, memory-saving utilities, and integrated productivity features reduce background processes and the need for multiple third-party extensions, lowering device and infrastructure energy use. Impact is tracked on the homepage with monthly reports toward a 300,000-pound cleanup goal by 2028.

🚨 Koi Security uncovered the GhostPoster campaign that hid malicious JavaScript inside PNG logo files used by 17 Firefox add‑ons, collectively downloaded more than 50,000 times. The steganographic loader fetches secondary payloads from attacker-controlled servers only intermittently and uses long delays to avoid detection. Affected extensions — advertised as VPNs, ad blockers, translators, and utilities — have been removed from distribution.

🕵️ Koi Security identified the GhostPoster campaign that hides JavaScript inside PNG logo images of malicious Firefox extensions, impacting more than 50,000 downloads. The dormant loader waits 48 hours, contacts hardcoded attacker domains and only fetches its payload about 10% of the time to evade detection. The decoded payload provides persistent, high-privilege access and enables affiliate hijacks, analytics injection, header stripping, CAPTCHA bypass and ad/click fraud. Users of flagged extensions should remove them and consider resetting critical account passwords.

🔒 Security researchers have found that the popular Chrome extension Urban VPN Proxy (featured in the Chrome Web Store and used by millions) contained scripts that intercepted AI chat conversations and transmitted them to company-controlled analytics servers. The functionality, introduced in version 5.5.0 on July 9, 2025, allegedly runs regardless of whether the VPN is active and cannot be disabled via settings. Koi's analysis says prompts, responses, timestamps and session identifiers were captured and compressed before exfiltration. The same capability was reportedly present in seven related extensions from the same publisher, potentially affecting more than 8 million users across Chrome and Edge.

🔒 Researchers at Koi found that the popular Urban VPN Proxy browser extension injects scripts to capture full AI chat conversations — including prompts and responses — then exports them to the extension vendor's backend. The monitoring runs even when the VPN is disabled and activates on major platforms such as ChatGPT, Claude, Gemini, Perplexity and Grok. For organizations that paste internal code, data or research into AI tools, this creates a significant data-theft risk outside corporate controls.

🔒 The ShadyPanda campaign hijacked thousands of legitimate Chrome and Edge extensions, converting them into spyware and RCE-enabled backdoors via silent updates. About 4.3 million users installed compromised add‑ons that could steal session cookies and impersonate SaaS accounts. Organizations should enforce extension allow lists, audit permissions, and treat extensions like OAuth apps. Platforms such as Reco can help bridge browser, endpoint, and SaaS visibility.

🔒 The article argues that the browser is now the primary interface for enterprise GenAI and outlines a practical security model combining policy, isolation, and precision data controls. It recommends categorizing GenAI services into sanctioned and public tools, enforcing SSO for corporate identities, and preventing cross‑account leakage. The piece highlights the risks of prompt copy/paste, file uploads, and extensions, and advises per‑site/session controls, telemetry, and a pragmatic 30‑day Secure Enterprise Browser (SEB) rollout to enable safe, productive use.

🔒 Researchers at Push Security describe ConsentFix, a browser-only evolution of the ClickFix phishing technique that captures OAuth tokens for Microsoft logins. The attack leverages legitimate but compromised sites and a fake Cloudflare-style CAPTCHA to trick victims into copying and pasting a URL containing an OAuth token, which yields account access via Azure CLI without a password or MFA. Push Security warns the method avoids many endpoint and authentication defenses and is difficult to detect; mitigation requires tightened consent governance, enhanced monitoring, and browser-based protections.

🤖 Brave has begun testing an agentic AI browsing mode that uses its privacy-focused assistant Leo to perform autonomous tasks like web research, product comparison, promo-code discovery, and news summarization. The feature is currently available in Brave Nightly and is disabled by default. Brave isolates the agent in a separate profile without access to cookies, logins, or sensitive data and adds restrictions plus an alignment checker to mitigate prompt-injection and other risks.

🔒 Palo Alto Networks announces that Prisma Browser has been named the best-positioned market leader in the Frost Radar: Zero Trust Browser Security (ZTBS), 2025 report, recognized for both innovation and growth. The vendor frames the browser as the enterprise 'OS' where 85% of work occurs and 95% of security incidents originate, emphasizing the urgent need for native browser defenses. Powered by Precision AI, Cloud-Delivered Security Services and embedded Enterprise DLP, Prisma Browser inspects live, fully rendered content to detect evasive AI-driven phishing, zero-day browser exploits and malicious extensions. Combined with Advanced WildFire, URL Filtering and runtime extension security, the solution delivers last-mile protection without disrupting user workflows.

🔒 The article argues that the browser must be the primary enforcement point for enterprise zero trust, replacing outdated perimeter assumptions with per-request, context-aware controls. It synthesizes NIST SP 800-207 and 800-207A plus CISA guidance to describe identity-first access, least-privilege entitlements, continuous verification, phishing-resistant MFA (FIDO2/WebAuthn), device posture gating and remote browser isolation. Practical recommendations include SSO with short-lived tokens, SCIM-driven provisioning, ZTNA access proxies and governance-as-code to automate policy and reduce exposure.

🛡️Researchers at Koi Security uncovered a multi-year campaign by an actor dubbed ShadyPanda that abused trusted Chrome and Edge extensions to harvest browsing data, manipulate search results and traffic, and install a backdoor. The group amassed roughly 4.3 million infected browser instances by publishing legitimate-looking add-ons and later pushing malicious updates. Although many extensions have been removed from stores, infected browsers remain at risk because extensions auto-update and marketplaces generally review only at submission.

🛡️ Unit 42’s Browser Defense Playbook warns that modern work happens primarily in the browser—about 85% of daily tasks—and that attackers increasingly exploit that centrality with phishing, malicious extensions, drive-by downloads and session hijacks. The guide identifies common failures such as unmanaged extensions, lax policies and blind spots in encrypted traffic. It recommends extending zero trust to the browser with strong MFA, conditional access, continuous monitoring and vetted extension allow lists, and points to Prisma Browser for agentless inspection and DLP.

🔍 Koi Security revealed a long-running surveillance campaign by an actor it calls 'ShadyPanda' that abused legitimate-seeming Chrome and Edge extensions to harvest browsing data, hijack search results, and deploy a backdoor enabling remote code execution. The group built trust by publishing useful extensions (including Clean Master) and then silently pushed malicious updates that bypassed marketplace re-approval. With an estimated 4.3 million infected browser instances, enterprises should treat browser extensions as high-risk assets and urgently audit and remediate add-ons on corporate and employee devices.

🛡️ A seven-year browser extension campaign attributed to the actor known as ShadyPanda has infected 4.3 million Chrome and Edge users by operating legitimately for years and then pushing malicious updates. A Koi Security report describes a remote code execution backdoor that affected roughly 300,000 users across five extensions, including Clean Master, and a parallel spyware push via Edge extensions such as WeTab. Malicious updates enabled hourly downloads of arbitrary JavaScript, extensive logging of site visits, exfiltration of encrypted browsing histories, and comprehensive browser fingerprinting.

🔒 A threat actor tracked as ShadyPanda operated a seven-year browser-extension campaign that amassed over 4.3 million installs by converting popular add-ons into data-stealing spyware. Koi Security reports that five extensions were modified in mid-2024 to run hourly remote code execution, download arbitrary JavaScript, and exfiltrate encrypted browsing histories and full browser fingerprints. Notable victims include Clean Master — once verified by Google — and WeTab, which still had millions of installs. Users should remove affected extensions and rotate credentials immediately while marketplaces review post-approval update controls.

⚠️ Koi Security uncovered the long-running "ShadyPanda" operation that amassed over 4.3 million installs of Chrome and Edge browser extensions, many of which transitioned from legitimate tools to spyware. The campaign, active since 2018, progressed through phases—starting with affiliate-fraud injections, moving to search hijacking, and culminating in a remote backdoor capable of executing arbitrary JavaScript. Google has removed numerous extensions from the Chrome Web Store, but several high-install Edge add-ons remain available and continue to collect browsing data, keystrokes, cookies, and device fingerprints. Users are advised to remove suspect extensions immediately and reset account passwords.

🚨 The emergence of agentic AI browsers converts the browser from a passive viewer into an autonomous digital agent that can act on users' behalf. To perform tasks—booking travel, filling forms, executing payments—these agents must hold session cookies, saved credentials, and payment data, creating an unprecedented attack surface. The piece cites OpenAI's ChatGPT Atlas as an example and warns that prompt injection and the resulting authenticated exfiltration can bypass conventional MFA and network controls. Recommended mitigations include auditing endpoints for shadow AI browsers, enforcing allow/block lists for sensitive resources, and augmenting native protections with third-party browser security and anti-phishing layers.

⚠️ Security firm SquareX disclosed a previously undocumented MCP API inside the AI browser Comet that enables embedded extensions to execute arbitrary commands and launch applications — capabilities mainstream browsers normally block. The API can be triggered covertly from pages such as perplexity.ai, creating an execution channel exploitable via compromised extensions, XSS, MITM, or phishing. SquareX highlights that the analytics and agentic extensions are hidden and cannot be uninstalled, leaving devices exposed by default.