Study finds popular Chrome add‑ons secretly harvesting clipboards, rerouting searches and mimicking trusted tools
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
CrashFix: Chrome extension that forces browser crashes to deliver ModeloRAT targets corporate networks
A malicious Chrome add-on masquerading as an ad blocker deliberately destabilizes the browser to trick users into running clipboard-pasted commands that install a Python-based remote access trojan. The campaign, attributed to an actor tracked as KongTuke and active since early 2025, focuses on domain-joined machines in corporate environments and uses a timed denial-of-service loop to sustain the social-engineering lure.

CERT-In alerts users to high-risk flaws in Apple Pages/Keynote and Google Chrome; apply patches now
India’s national cybersecurity agency has identified exploitable vulnerabilities in Apple Pages/Keynote and Google’s desktop Chrome that could allow data disclosure or remote code execution. Vendors issued fixes in late January 2026; organisations should prioritise deploying those updates immediately and treat them in the context of a broader trend of vendor emergency patches for document- and API-handling flaws.
Security flaws in popular open-source AI assistant expose credentials and private chats
Researchers discovered that internet-accessible instances of the open-source assistant Clawdbot can leak sensitive credentials and conversation histories when misconfigured. The exposure enables attackers to harvest API keys, impersonate users, and in one test led to extracting a private cryptographic key within minutes.
Global: OpenClaw plugin marketplace compromised by supply‑chain poisoning of AI skills
Researchers report that hundreds of malicious 'skills' were uploaded to OpenClaw’s ClawHub, delivering backdoors and credential‑theft routines. Separately discovered operational exposures — including internet‑reachable gateways, leaked API tokens and an OpenClaw CVE patched in a maintenance release — magnify the risk of large‑scale compromise across agent deployments.

Investigation Finds App Stores Hosting Scores of AI ‘Nudify’ Tools, Exposing Policy Gaps
An industry watchdog located dozens of AI-powered apps in Apple and Google app stores that convert ordinary photos into sexualized images, prompting staggered removals, suspensions and conflicting counts from stakeholders. The episode dovetails with separate regulatory scrutiny of large generative systems — including an EU inquiry into xAI’s Grok and nonprofit findings that flagged weak age and safety controls — underscoring rising demands for pre-deployment risk assessments, stronger store admission controls and cross-border data safeguards.
VS Code extensions left 128 million installs vulnerable to exploitation
A security review uncovered critical and high-severity flaws in four popular Visual Studio Code extensions, collectively reaching about 128 million installs and enabling file theft, remote code runs, and network reconnaissance. Three formal CVEs were published and researchers say multiple maintainers ignored notifications for months, forcing public disclosure and urgent mitigation guidance.
Surveillance, security lapses and viral agents: a roundup of risks reshaping law enforcement and AI
Recent coverage links expanded government surveillance tooling to broader operational risks while detailing multiple consumer- and enterprise-facing AI failures: unsecured agent deployments exposing keys and chats, a child-toy cloud console leaking tens of thousands of transcripts, and a catalogue of apps and model flows that enable non-consensual sexualized imagery. Together these episodes highlight how rapid capability adoption, weak defaults, and inconsistent platform enforcement magnify privacy, legal and security exposure.
Google embeds a persistent AI sidebar in Chrome and pilots agentic web automation
Google has moved its conversational model into a permanent Chrome sidebar and is piloting autonomous web agents that can navigate sites, complete forms and assist with purchases. The rollout starts with paying U.S. subscribers and expands platform support to select Chromebooks while raising practical reliability and privacy questions.