Chrome Zero-Day Attacks & Global Cyber Threats: The Week’s Most Critical Security News

Google Patches Two Actively Exploited Chrome Zero-Days

Google has issued emergency security updates for its Chrome browser, addressing two high-severe vulnerabilities that were actively being exploited in the wild. The first flaw, CVE-2026-3909, involves an out-of-bounds write vulnerability in the Skia 2D graphics library, while the second, CVE-2026-3910, is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. Both could potentially allow attackers to execute arbitrary code or access sensitive memory.

“These aren’t theoretical threats,” security experts warn. “Attackers were already using these exploits against unsuspecting users before Google could patch them.” The vulnerabilities have been addressed in Chrome versions 146.0.7680.75/76 for Windows and macOS, and 146.0.7680.75 for Linux.

Meta to Discontinue Instagram End-to-End Encryption

In a controversial move, Meta announced plans to discontinue support for end-to-end encryption (E2EE) for direct messages on Instagram after May 8, 2026. The company claims that very few users were opting into the feature, stating, “Anyone who wants to keep messaging with end-to-end encryption can easily do that on WhatsApp.”

Privacy advocates are sounding alarms, arguing this represents a significant step backward for user privacy. “Meta is essentially abandoning a critical privacy feature that protects millions of users from surveillance and data breaches,” one security researcher commented.

International Operation Dismantles SocksEscort Proxy Service

A coordinated international law enforcement operation has successfully dismantled SocksEscort, a criminal proxy service that enslaved thousands of residential routers worldwide into a massive botnet. The service was used for large-scale fraud operations, with malware powered by AVrecon specifically targeting MIPS and ARM architectures through known vulnerabilities in edge network devices.

“The most concerning aspect is the novel persistence mechanism,” cybersecurity analysts note. “By flashing custom firmware that disables future updates, these routers are permanently transformed into proxy nodes, making them virtually impossible to clean without physical access.”

UNC6026 Exploits npm Supply Chain Attack

The threat actor UNC6026 has leveraged stolen keys from the August 2025 nx npm package supply chain compromise to completely breach a victim’s AWS environment within just 72 hours. The attackers abused GitHub-to-AWS OpenID Connect (OIDC) trust to create new administrator roles, exfiltrate files from Amazon S3 buckets, and perform data destruction in production cloud environments.

“This demonstrates the cascading effects of supply chain attacks,” security experts emphasize. “One compromised package can lead to complete cloud environment takeover in less than three days.”

KadNap Botnet Enslaves 14,000+ Devices

A takedown-resistant botnet named KadNap has conscripted over 14,000 routers and network devices into a proxy network called Doppelganger. The botnet exploits known vulnerabilities in Asus routers and other devices, using Kademlia-based peer-to-peer networks for decentralized control. These infected devices tunnel customers’ internet traffic through residential IP addresses, making malicious traffic virtually indistinguishable from legitimate activity.

APT28 Strikes with Sophisticated Toolkit

The Russian threat actor APT28 has deployed a sophisticated toolkit targeting Ukrainian cyber assets. The toolkit includes two custom implants, with one employing techniques from malware frameworks used in the 2010s, and another being a heavily modified version of the COVENANT framework. The attackers also utilize SLIMAGENT, which shares overlaps with XAgent, for long-term espionage operations.

Critical Vulnerabilities Demand Immediate Attention

This week’s vulnerability landscape includes several critical flaws requiring immediate patching:

• Chrome Zero-Days: CVE-2026-3909, CVE-2026-3910, CVE-2026-3913
• Veeam Backup & Replication: Seven critical vulnerabilities (CVE-2026-21666 through CVE-2026-21669, CVE-2026-21671, CVE-2026-21672, CVE-2026-21708)
• n8n Workflow Automation: Multiple remote code execution flaws (CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497)
• Microsoft Windows: High-severity flaws (CVE-2026-26127, CVE-2026-21262)
• SAP Systems: Dozens of vendors affected by security flaws (CVE-2019-17571, CVE-2026-27685)
• ExifTool for macOS: CVE-2026-3102
• Nginx UI: CVE-2026-27944
• K7 Ultimate Security: CVE-2025-67826
• Intego X9: CVE-2026-26224, CVE-2026-26225
• pac4j-jwt: CVE-2026-29000
• HPE Aruba Networking AOS-CX: CVE-2026-23813
• PostgreSQL: Denial of service vulnerability (CVE-2025-12818)
• WordPress Plugins: Multiple critical flaws affecting hundreds of thousands of sites

Emerging Threats and Campaigns

Fake Google Security Check Delivers Browser RAT

A sophisticated phishing campaign has emerged using web pages mimicking Google Account security checks to deliver a browser-based surveillance toolkit. Disguised as routine security checkups, these pages walk victims through a four-step flow that grants attackers push notification access, device contact lists, real-time GPS location, and clipboard contents—all without installing traditional applications.

Forbidden Hyena Distributes BlackReaperRAT

The hacktivist group Forbidden Hyena has been distributing RAR archives containing BlackReaperRAT, a previously undocumented remote access trojan. The malware carries out destructive attacks against Russian organizations and collaborates with groups like Cobalt Werewolf and Hoody Hyena.

Chinese Hackers Target Persian Gulf Region

A China-nexus threat actor, likely Mustang Panda, has targeted countries in the Persian Gulf region using a multi-stage attack chain that deploys PlugX backdoor variants. The malware employs sophisticated obfuscation techniques including control flow flattening and mixed boolean arithmetic to hinder reverse engineering.

Phishing Campaign Uses SEO Poisoning

A phishing campaign has employed SEO poisoning to direct search engine results to fake traffic ticket portals impersonating Canadian government agencies. The campaign uses “waiting room” tactics where victims’ browsers poll servers every two seconds, triggering redirects based on specific status codes.

Roundcube Exploitation Toolkit Discovered

Hunt.io discovered a Roundcube exploitation toolkit attributed to APT28, featuring development and production XSS payloads, a Flask-based command-and-control server, CSS-injection tooling, and a Go-based implant deployed on compromised Ukrainian web applications. The toolkit supports credential harvesting, persistent mail forwarding, bulk email exfiltration, and two-factor authentication secret extraction.

Cybersecurity Tools and Resources

Dev Machine Guard

A free, open-source tool that scans your computer to identify AI coding assistants, code editor extensions, and software packages running on your system. It helps detect suspicious or outdated tools that could pose security risks.

Trajan

An automated security tool designed to find hidden vulnerabilities in service meshes—the systems that manage how different parts of large software applications communicate. Trajan scans configurations to spot errors that could allow hackers to bypass security or steal data.

Conclusion

This week’s cybersecurity landscape reveals a troubling pattern: attackers are becoming increasingly sophisticated, leveraging supply chain compromises, abusing legitimate services, and developing novel persistence mechanisms. From browser zero-days being exploited in the wild to coordinated botnet operations and state-sponsored espionage campaigns, the threats are both diverse and evolving rapidly.

The message is clear: organizations cannot afford to be reactive. Patching critical vulnerabilities immediately, monitoring for unusual network activity, and implementing defense-in-depth strategies are no longer optional—they’re essential for survival in today’s threat environment.

Tags: Chrome zero-day, APT28, supply chain attack, botnet, end-to-end encryption, SocksEscort, KadNap, UNC6026, critical vulnerabilities, phishing campaign, meta privacy, google chrome, cybersecurity threats, ransomware, npm package, AWS breach, browser RAT, cyber espionage

Viral Sentences:

• “Attackers were already using these exploits against unsuspecting users before Google could patch them.”
• “Meta is essentially abandoning a critical privacy feature that protects millions of users.”
• “These routers are permanently transformed into proxy nodes, making them virtually impossible to clean without physical access.”
• “One compromised package can lead to complete cloud environment takeover in less than three days.”
• “Malicious traffic virtually indistinguishable from legitimate activity.”
• “The threats are both diverse and evolving rapidly.”
• “Patching critical vulnerabilities immediately is no longer optional—it’s essential for survival.”

,