Threat Briefing: January 23, 2026

Recent discoveries reveal escalating risk across cloud, browser, and AI environments. Attackers are deploying fake Chrome extensions that mimic trusted tools, exploiting AI prompt-injection through calendar invites, launching targeted LastPass phishing campaigns, spreading ModeloRAT through fake browser crash alerts, and taking advantage of an AWS CodeBuild flaw that could expose entire cloud environments.

Together, these incidents highlight the growing sophistication of social engineering, supply-chain abuse, and AI-assisted attack techniques, reinforcing the need for tighter extension governance, layered authentication, heightened email vigilance, and stronger cloud security controls.

• Fake Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts – Security researchers uncovered five malicious Chrome extensions posing as Workday and NetSuite tools to steal authentication tokens and bypass security controls. Though removed from the Chrome Web Store, they remain on third-party sites. Users should delete the extensions, reset passwords, and review accounts for suspicious activity. The Hacker News
• Gemini Calendar Invite Flaw Enables Indirect Prompt Injection – Researchers found a vulnerability in Google’s Gemini where malicious calendar invites could trick the AI into exposing sensitive meeting data. The attack hides prompt injection in normal-looking event text, bypassing basic defenses. Google has acknowledged the issue and implemented fixes. Security Week
• Malicious Chrome Extension Used to Deliver New ModeloRAT – The KongTuke campaign used a malicious Chrome extension posing as an ad blocker to repeatedly crash browsers and prompt users to run fake fixes. This “CrashFix” tactic led victims to install a new remote access trojan, ModeloRAT. The extension was downloaded over 5,000 times before removal, showcasing advanced social engineering through trusted-looking tools. The Hacker News
• Phishing Emails Pose as LastPass Maintenance Alerts – LastPass warned of a phishing campaign using fake maintenance emails to trick users into revealing master passwords. The messages urge urgent vault backups within 24 hours. LastPass reminds users it never asks for master passwords and is working to shut down the scam infrastructure. The Hacker News
• AWS CodeBuild Flaw Could Have Exposed Entire Cloud Environments – Researchers uncovered “CodeBreach,” a critical AWS CodeBuild flaw caused by a small filtering error that risked leaking privileged credentials and repository access. AWS fixed the issue within 48 hours. Users are advised to enable Pull Request Comment Approval to reduce risk. Hack Read