Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: chromium (2 articles)Clear

Google leaks unfixed Chromium flaw - Service Workers run JavaScript after browser closes, enabling silent botnet on Chrome, Edge, Brave

Google has accidentally published the technical details of an unfixed Chromium vulnerability that lets a malicious webpage run JavaScript on a visitor's device even after the browser is closed. The issue, originally reported by researcher Lyra Rebane in December 2022, abuses a Service Worker download task that never terminates. It was marked 'fixed' on February 12 and the bug tracker went public on May 20 after the 14-week visibility timer expired, but Rebane re-tested the latest Chrome Dev 150 and Edge 148 and confirmed the bug still works. Microsoft Edge no longer shows a download prompt, making the persistence completely silent. All Chromium-based browsers are affected.

Check
Inventory Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi, Arc) and check current Service Worker activity at chrome://serviceworker-internals/ for unexpected background fetches surviving browser close.
Affected
All Chromium-based browsers including Chrome Dev 150 and Edge 148 (and earlier). Confirmed bug in Service Worker handling. The Edge variant is silent (no download prompt).
Fix
No vendor patch yet. Until one ships: enforce a Chrome/Edge policy that blocks background-fetch or restricts service-worker scopes. Educate users to manually unregister Service Workers via chrome://serviceworker-internals/.

REMUS infostealer profiled - 64-bit Lumma successor with EtherHiding C2 and Chromium ABE bypass

Flare published a deep profile of REMUS, the 64-bit infostealer that emerged in early 2026 after Lumma Stealer's core operators were doxxed in late 2025. Gen Threat Labs links REMUS directly to Lumma's codebase through 'Tenzor' transitional builds from September 2025, identical string obfuscation, anti-VM checks via cpuid leaf 0x40000000, and a refined Application-Bound Encryption bypass for Chromium browsers. The malware harvests browser passwords, cookies, autofill, crypto wallets, and clipboard data, and uses EtherHiding (blockchain-based C2 resolution) for resilience. Flare's 128-post analysis of REMUS forum activity from Feb 12 to May 8 shows the operation has moved from rapid feature expansion into platform stabilization, with active customer-facing MaaS development.

Check
Hunt for processes reading Chromium browser process memory to extract master keys, look for outbound traffic resolving C2 through Ethereum or other blockchain RPC endpoints (EtherHiding), and review browser cookie store access patterns.
Affected
Enterprises with users running Chromium-based browsers (Chrome, Edge, Brave) and saved passwords or session cookies. Crypto-holding individuals and finance, accounting, and developer roles with broad SaaS account access face elevated session-theft risk.
Fix
Roll out Application-Bound Encryption hardening on managed Chromium browsers, enforce conditional access with continuous access evaluation to invalidate stolen sessions, block known REMUS C2 indicators, and replace browser-stored passwords with an enterprise password manager.