← Back to Blog
Security Briefing4 min read2026-04-15

Security Briefing, April 15 2026: Patch Tuesday, Malicious Chrome Extensions, and Access Drift

Today’s security briefing tracks three concrete stories shaping the day: Microsoft’s April Patch Tuesday, a campaign of 100+ malicious Chrome extensions stealing tokens and sessions, and access-governance failures at Kraken and McGraw-Hill.


Top line: The strongest signal this morning is not one ransomware brand. It is the same control debt appearing across multiple incidents: urgent patching, browser-session theft, and access that survives longer than it should.


1. Microsoft’s Patch Tuesday is big, and one SharePoint zero-day was already exploited

Microsoft released fixes for 167 vulnerabilities in April 2026, including two zero-days. One of them, a SharePoint Server spoofing vulnerability, was already exploited in the wild. Microsoft also shipped fixes for critical Office remote-code-execution bugs and a Defender privilege-escalation issue that updates through the antimalware platform.


2. More than 100 Chrome extensions turned the browser into an identity theft surface

Researchers at Socket linked over 100 malicious Chrome Web Store extensions to one coordinated campaign. The extensions reportedly stole Google OAuth2 bearer tokens, harvested account data, hijacked Telegram Web sessions, and fetched remote commands in the background. That is not “just a browser add-on” risk. It is identity, session, and trust abuse inside the user’s already authenticated environment.


3. Kraken and McGraw-Hill show why insider and third-party access still breaks clean stories

Kraken said an extortion group is threatening to release videos of internal systems after improper access by support employees exposed limited customer-support data affecting roughly 2,000 accounts. McGraw-Hill separately said attackers accessed limited internal data through a Salesforce-hosted webpage misconfiguration, while ShinyHunters claimed a much larger haul. The exact blast radius differs, but the pattern is the same: support workflows and hosted business systems often keep more trust than teams think.


What security teams should do today

  1. Prioritize exploited and externally reachable Microsoft assets first.
  2. Run an extension sweep and session revocation plan for high-risk users.
  3. Audit support, supplier, and SaaS admin access with owners and expiry dates.
  4. Use one executive update that covers patches, browser identity abuse, and third-party access in the same risk picture.

Bottom line: Today’s stories all point to the same operational truth. Attackers are winning in the gap between nominal control and verified control, between “patched” and actually fixed, between “logged in” and truly trusted, between “temporary access” and lingering privilege.

Close the gap before it becomes tomorrow’s incident

KENSAI helps teams verify exposed trust paths, patch coverage, and internet-facing security reality before attackers turn drift into leverage.

Start Free Scan →

Stay sharp.

🗡️ KENSAI Security Team