Chrome Zero-Days & AI Agent Flaws Fuel Web Security Concerns

OpenClaw AI Agent Flaws Expose Users to Prompt Injection and Data Theft

• Researchers at Adversa AI uncovered critical prompt injection and sensitive data exfiltration vulnerabilities in OpenClaw, an open-source framework for AI agents.
• The flaws enable attackers to manipulate AI agents by injecting malicious instructions through crafted web content, potentially leading to unauthorized actions or access to user data, including API keys.
• A significant vulnerability exists in the browse_website tool, which could be exploited to leak local files or access internal networks if not adequately sandboxed, blurring traditional browser security boundaries.

Source: The Hacker News | Date: March 18, 2026

GlassWorm Attack Leverages 72 Malicious VSX Extensions to Target Developers

• Check Point Research disclosed "GlassWorm," a supply-chain attack exploiting 72 compromised Visual Studio Code (VS Code) extensions available on the Open VSX marketplace.
• These malicious extensions were designed to steal developer credentials, execute arbitrary code, and establish persistent backdoors within development environments.
• The attack underscores a growing risk akin to malicious browser extensions, highlighting the critical need for rigorous vetting of third-party software and components in developer workflows.

Source: The Hacker News | Date: March 14, 2026

Google Issues Corrective Chrome Update for Imperfectly Patched Zero-Day

• Google released an emergency Chrome update (version 122.0.6261.129) to fully address CVE-2026-1011, a use-after-free vulnerability in the V8 JavaScript engine, which was not completely resolved in the prior 122.0.6261.128 release.
• The flaw impacts all Chrome users on Windows, macOS, and Linux running versions prior to 122.0.6261.129, and has been actively exploited in the wild.
• Users are strongly advised to update their Chrome browsers immediately to the latest version to ensure full protection against this critical, actively exploited vulnerability.

Source: Security.nl | Date: March 12, 2026

CISA Adds Two Actively Exploited Chrome Zero-Days to KEV Catalog

• CISA has added two Google Chrome zero-day vulnerabilities, CVE-2026-1011 (V8 use-after-free) and CVE-2026-1012 (WebGPU use-after-free), to its Known Exploited Vulnerabilities (KEV) Catalog.
• Both critical flaws are remote code execution vulnerabilities that have been actively exploited in real-world attacks, posing immediate and severe risks to unpatched Chrome installations.
• Federal agencies are mandated to patch these vulnerabilities by March 21, 2026, emphasizing the critical importance of prompt updates for all users.

Source: The CyberThrone.in | Date: March 14, 2026

Storm-2561 Group Deploys Phishing to Steal Corporate VPN Logins

• Microsoft Threat Intelligence reported that the Storm-2561 threat actor group is conducting sophisticated phishing campaigns using highly convincing spoofed VPN login pages.
• The campaign specifically targets organizations with remote workforces, aiming to compromise corporate accounts by tricking users into submitting their credentials on fraudulent websites.
• This ongoing threat highlights the efficacy of browser-based social engineering in bypassing security measures and the critical need for user education on identifying malicious web pages.

Source: Security Affairs | Date: March 14, 2026

References

1. OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration - The Hacker News
2. GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers - The Hacker News
3. Google meldde ten onrechte dat Chrome-lek was gedicht, rolt nieuwe update uit - Security.nl
4. CISA Adds Two Google Chrome Zero-Days to KEV - The CyberThrone.in
5. Storm-2561 lures victims to spoofed VPN sites to harvest corporate logins - Security Affairs