Browser Threat Report: Active Exploitation Targets Credentials, RCE, and Phishing
This newsletter is AI generated and may hallucinate sometimes π
Critical OIDC Flaws in OpenBao Lead to Session Hijacking and Phishing Risks
- OpenBao, an open-source secrets management solution, has been found to contain critical OpenID Connect (OIDC) vulnerabilities (CVSS 3.1: 9.6) that could enable session hijacking and cross-site scripting (XSS).
- The identified flaws, CVE-2026-33758 and CVE-2026-33760, specifically affect OpenBao's "direct login" functionality, allowing attackers to manipulate URLs for malicious redirections.
- These vulnerabilities create a significant phishing risk, as threat actors could craft malicious URLs to trick users into divulging authentication tokens or compromising their active sessions.
Source: SecurityOnline.info | Date: March 27, 2026
Decades-Old libpng Library Flaws Enable Remote Code Execution
- Severe vulnerabilities, including Remote Code Execution (RCE) and ARM NEON exploits, have been discovered in the `libpng` image reference library, a component widely used across numerous applications, including web browsers.
- These 30-year-old flaws, tracked as CVE-2026-33636 and CVE-2026-33416, stem from issues such as out-of-bounds reads and integer overflows within the library's code.
- Successful exploitation of these vulnerabilities could permit attackers to execute arbitrary code on systems that process specially crafted malicious PNG images, posing a broad threat to affected software.
Source: SecurityOnline.info | Date: March 29, 2026
New macOS Infinity Stealer Leverages Nuitka Python and ClickFix for Data Exfiltration
- A novel macOS malware, dubbed "Infinity Stealer," has emerged, employing a Nuitka Python payload and the legitimate ClickFix utility to facilitate its operations and exfiltrate sensitive user data.
- The Infinity Stealer is designed to target a wide range of valuable information from macOS systems, including browser data, cryptocurrency wallet credentials, and other personal files, often by masquerading as benign applications.
- The inclusion of ClickFix suggests the malware may interact with user interfaces or exploit click events within web browsers, enhancing its ability to discreetly achieve its data theft objectives.
Source: Security Affairs | Date: March 28, 2026
Russia-Linked APT TA446 Targets iPhone Users with DarkSword Phishing Campaign
- The Russia-linked advanced persistent threat (APT) group TA446 has initiated a sophisticated phishing campaign utilizing the "DarkSword" exploit to target iPhone users, aiming for device compromise and data exfiltration.
- The campaign employs highly convincing social engineering tactics, such as fake package delivery notifications sent via SMS, to entice victims into clicking malicious links.
- While specifically targeting iOS, the attack relies heavily on browser interaction through these phishing links, exploiting potential vulnerabilities within the web browser or underlying operating system to achieve full device takeover.
Source: Security Affairs | Date: March 28, 2026
References
- Critical 9.6 CVSS OIDC Flaws in OpenBao Turn βDirect Loginβ Into a Phishing Trap - SecurityOnline.info
- The 30-Year Glitch: RCE and ARM Exploits Uncovered in libpng Reference Library - SecurityOnline.info
- New macOS Infinity Stealer uses Nuitka Python payload and ClickFix - Security Affairs
- Russia-linked APT TA446 uses DarkSword exploit to target iPhone users in phishing wave - Security Affairs