← Back to Security Blog
Security Briefing 7 min read

Chrome's First 2026 Zero-Day + AI Frameworks Under Attack

Google patches first Chrome zero-day of 2026. AI agent frameworks like OpenClaw are now targeted by specialized infostealers. Over 300 malicious browser extensions discovered with 37 million downloads. Meanwhile, CISA is operating at only 38% capacity.


Critical: Chrome Zero-Day CVE-2026-2441

Actively Exploited in the Wild — Update Chrome Immediately

Google has released an emergency patch for the first Chrome zero-day vulnerability of 2026. The arbitrary code execution flaw is being actively exploited.

Detail Information
CVE CVE-2026-2441
Type Arbitrary Code Execution
Severity CRITICAL
Status Actively exploited in the wild
Fix Chrome 145 — Update now

Immediate Actions

  1. Update Chrome to version 145 immediately
  2. Enable automatic updates if not already active
  3. Consider temporary browser restriction until patching is complete

BeyondTrust RCE — Exploited Within 24 Hours

CVE-2026-1731: Critical unauthenticated remote code execution in BeyondTrust Remote Support. Exploitation began within 24 hours of PoC release.

CISA Emergency Directive

CISA has ordered all federal agencies to patch within 3 days. If you use BeyondTrust, this is your top priority.


Ivanti EPMM — Single Actor Dominates Attacks

Security researchers have identified that 83% of all Ivanti EPMM exploitation attempts come from a single threat actor. CVE-2026-1281 and CVE-2026-1340 continue to be actively exploited.

This concentrated attack pattern suggests a highly organized operation — patch and monitor urgently.


AI Frameworks Now Under Attack

⚠️ New Threat: Infostealers Targeting AI Agent Frameworks

Security researchers have documented the first known malware specifically targeting OpenClaw and similar AI agent frameworks. The malware steals:

This is a significant development. As agentic AI assistants become mainstream, they're becoming high-value targets. Organizations using AI frameworks should:

  1. Audit API key storage and rotation policies
  2. Implement secret scanning in CI/CD pipelines
  3. Monitor for unauthorized access to agent configurations
  4. Use short-lived tokens where possible

ClickFix Attacks Evolve — Now Using DNS

Three new ClickFix variants discovered this week show rapid evolution:

Variant Technique Target
DNS-Based (NEW) Uses nslookup to retrieve PowerShell payloads Windows
Pastebin Comments Malicious JavaScript hijacks Bitcoin transactions Crypto users
Claude LLM Artifacts Abuses AI-generated artifacts via Google Ads macOS

The DNS-based technique is particularly concerning — it's the first known use of DNS as a payload delivery channel for ClickFix campaigns, deploying "ModeloRAT" malware. Microsoft has issued a warning.


300+ Malicious Browser Extensions — 37M Downloads

Audit Your Browser Extensions Now

Security researchers have identified over 300 malicious browser extensions with a combined 37 million downloads. These extensions leak data, steal personal information, and track users.

Notable example: The "CL Suite" extension targets Meta Business Suite users, stealing 2FA TOTP codes and Business Manager credentials.

Recommended Actions

  1. Audit all installed browser extensions
  2. Remove extensions with excessive permissions
  3. Prefer extensions from verified publishers
  4. Implement extension allowlists for enterprise environments

Major Breaches This Week

Organization Records Details
Odido (Dutch telecom) 6 million Names, addresses, phone numbers
Eurail B.V. Unknown Traveler data now for sale on dark web
Canada Goose 600K ShinyHunters — personal + payment data
LVMH (Vuitton/Dior/Tiffany) 5.5M $25M fine in South Korea

CISA Operating at 38% Capacity

Due to the DHS shutdown that began February 14, CISA is currently operating with only 888 of 2,341 staff. This significantly reduces federal cybersecurity oversight at a critical time.

Organizations should not rely on federal threat intelligence being as timely during this period. Increase internal monitoring and subscribe to commercial threat feeds.


VoidLink: New Cloud-Focused Malware Framework

A new malware framework called VoidLink has been identified, operated by threat actor UAT-9921 (active since 2019):


Today's Numbers

Metric Value
Active zero-days 2 (Chrome, BeyondTrust)
Major breaches 4
Records exposed 12M+
Fines issued $25M
Malicious extensions 300+
Extension downloads 37M
CISA capacity 38%

Today's Priorities

  1. PATCH NOW: Chrome 145 (CVE-2026-2441) + BeyondTrust + Ivanti EPMM
  2. AUDIT: Browser extensions — remove unknowns
  3. REVIEW: AI framework security — API key hygiene
  4. MONITOR: DNS-based payload delivery (ClickFix evolution)
  5. INCREASE: Internal threat monitoring during CISA reduced capacity

Protect Your Organization with KENSAI

AI-powered vulnerability management with 332,660+ CVEs indexed.

Start Free Scan

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

📚 Related Articles