Exploit Brokers by Forgebound Research
Hey there,
It's Cipherceval —What happens when the tools we built to make us more productive start turning against us? This week's episode is stacked — and there's a theme that's impossible to ignore: AI is reshaping both sides of the cybersecurity battlefield, and fast. We've got five stories covering everything from a zero-day in the browser you're probably reading this on, to a near-perfect CVSS 9.9 that'll hit developers right in the build pipeline, to an entire attack campaign orchestrated by AI. Let's get into it.
HIGH - CVSS 8.8
🌐 Chrome Zero-Day: CVE-2026-2441
Google patched the first actively exploited Chrome zero-day of 2026 — a use-after-free vulnerability in Chrome's CSS engine (CSSFontFeatureValuesMap). An iterator invalidation bug lets an attacker craft an HTML page that achieves code execution inside Chrome's sandbox. Reported by researcher Shaheen Fazim on Feb 11, patched within two days. Affects all Chromium-based browsers: Chrome, Edge, Brave, Opera, Vivaldi.
Patched: Chrome 145.0.7632.75/76 (Win/Mac) · 144.0.7559.75 (Linux)
📋 Worth Knowing
If you never close your browser, auto-updates can sit waiting. What I personally do: three-dot menu → Help → About Chrome. Takes about 10 seconds. Google patched 8 zero-days in 2025 — this is the first of 2026.
Critical - CVSS 9.9
🔓Semantic Kernel RCE: CVE-2026-26030
A near-perfect 9.9 out of 10 in Microsoft's Semantic Kernel Python SDK — that's golden goose territory. The vulnerability is a code injection flaw (CWE-94) in the InMemoryVectorStore filter. An authenticated attacker can inject and execute arbitrary code through filter parameters with low complexity, low privilege, and zero user interaction. If you're building RAG systems, AI agents, or semantic search with this SDK, this is worth your attention.
Fixed in: python-1.39.4 · Workaround: Avoid InMemoryVectorStore in production until patched
⚠️ Keep in Mind
This is a critical vulnerability in an AI development framework. The targets are developers and the AI applications they're building. A patch does you no good if it's not installed — update your libraries and update your stuff.
~Cipherceval
Supply Chain Attack
🦞Cline CLI Compromised — OpenClaw Installed on Dev Machines
Someone compromised Cline's npm publish token and pushed a malicious update (v2.3.0) that silently installed OpenClaw — a self-hosted autonomous AI agent with full disk access — on every machine that pulled the update. The attack chain started with a prompt injection in Cline's AI-powered GitHub issue triage bot, pivoted through CI/CD cache poisoning, and leaked npm credentials. Cline patched fast but rotated the wrong token. Eight days later, the still-valid token was used. The tainted package was live for ~8 hours and downloaded roughly 4,000 times.
Check: cline --version · Fix: Update to 2.4.0 · npm uninstall -g openclaw
🔍 Things to Consider
This attack started with a GitHub issue title — natural language prompt injection flowing through AI → CI/CD → published package → millions of potential users. That's not theoretical. That's an operational reality. If you're using AI automation in your build pipelines, treat those AI agents as privileged actors that need governance.
Novel Threat
🥸 PromptSpy — Android Malware Using Google Gemini at Runtime
ESET discovered the first Android malware to use generative AI in its execution flow. PromptSpy takes an XML dump of the current screen and sends it to Google's Gemini, which returns JSON instructions telling the malware exactly where to tap. This lets it adapt to any device, layout, or OS version — a fundamental shift. Primary payload: a VNC module for full remote access, plus lockscreen capture, screen recording, and invisible overlays blocking uninstallation. Distributed via a fake JPMorgan Chase site targeting Argentina. Not on Google Play.
⚠️ Keep in Mind
Bad grammar used to be a reliable phishing indicator — AI changed that. Hardcoded UI coordinates used to be a limitation for mobile malware — AI is removing those limitations one by one. Something to be very aware of going forward.
AI-Powered Campaign
🧱600 FortiGate Firewalls Breached with Commercial AI Tools
Amazon Threat Intelligence revealed a Russian-speaking, financially motivated threat actor used off-the-shelf generative AI tools to compromise 600+ FortiGate firewalls in 55 countries in just 5 weeks. No zero-days — just exposed management interfaces and weak credentials. The attacker used a custom system (ARXON) querying DeepSeek and Claude to generate attack plans, then used AI to execute Impacket, Metasploit, and hashcat autonomously. Post-exploitation included DCSync, pass-the-hash, NTLM relay, and targeting of Veeam backup servers. Cybercriminals are vibe coding, and it's terrifying
📋 Worth Knowing
The barrier to entry has collapsed, and it's going to keep going lower. The defenses that matter are fundamentals: don't expose management interfaces to the internet, enforce MFA everywhere, use unique credentials, isolate backup infrastructure, and update your stuff.
🔢 Key Takeaways
1. Update your browsers. Chrome's first zero-day of 2026 is patched. A crafted web page is all it takes — all Chromium browsers affected. |
2. AI development tooling is now a high-value target. CVSS 9.9 in Semantic Kernel + Cline supply chain attack. If you build with AI tools, their security is part of your threat model. |
3. Supply chain security goes beyond dependencies. The Cline attack started with a GitHub issue title manipulating an AI triage bot. AI agents in CI/CD need governance. |
4. AI is being weaponized on both sides. PromptSpy uses Gemini for persistence; the FortiGate campaign used AI for attack planning and autonomous execution. This is operational. |
5. Fundamentals still win. 600 firewalls breached with weak passwords and exposed interfaces — not zero-days. MFA, credential hygiene, segmentation, and patching remain the top defenses. |
🎧 Watch/Listen to the Full Episode
Catch the full breakdown on YouTube, Spotify, or Apple Podcasts — search "Exploit Brokers by Forgebound Research."
Found this valuable? Forward it to someone who touches a computer.
Stay vigilant, stay curious, and update your stuff.
— Cipherceval / Forgebound Research