600 Firewalls Breached by AI in 5 Weeks — Plus Chrome Zero-Day, CVSS 9.9 RCE & AI-Powered Malware | HN63

AI is reshaping both sides of the cybersecurity battlefield — and fast. In this episode, we break down five stories that prove it: the first Chrome zero-day of 2026 (CVE-2026-2441), a near-perfect CVSS 9.9 in Microsoft's Semantic Kernel SDK (CVE-2026-26030), a supply chain attack on AI coding assistant Cline that silently installed autonomous agents on thousands of developer machines, the first-ever Android malware using Google's Gemini AI at runtime (PromptSpy), and a Russian-speaking threat actor who used commercial AI tools to breach over 600 FortiGate firewalls across 55 countries in just five weeks.

Whether you're a developer, security professional, or just someone who uses a browser — this one's worth your time.

🔔 Subscribe and hit the bell so you don't miss an episode!

🎧 Also available on Spotify, Apple Podcasts, and wherever you get your pods.

---

### ⏱️ Timestamps

0:00 — Hook: AI Is Reshaping Cybersecurity

1:08 — Welcome & CTA

1:49 — Story 1: Chrome Zero-Day CVE-2026-2441 (CVSS 8.8)

5:15 — Story 2: Microsoft Semantic Kernel RCE CVE-2026-26030 (CVSS 9.9)

7:58 — Story 3: Cline CLI Supply Chain Attack — OpenClaw Installed on 4,000 Machines

14:35 — Story 4: PromptSpy — First Android Malware Using Gemini AI

20:15 — Story 5: 600 FortiGate Firewalls Breached via AI-Assisted Campaign

25:57 — Recap & Key Takeaways

28:46 — Outro

---

### 📰 Story Summaries

**Story 1 — Chrome Zero-Day: CVE-2026-2441 (CVSS 8.8)**

Google patched the first actively exploited Chrome zero-day of 2026 on February 13th. It's a use-after-free vulnerability in Chrome's CSS engine — specifically in the CSSFontFeatureValuesMap implementation — caused by an iterator invalidation bug. An attacker can craft a malicious HTML page to achieve arbitrary code execution inside Chrome's sandbox. Reported by researcher Shaheen Fazim on Feb 11, patched two days later. Affects ALL Chromium-based browsers: Chrome, Edge, Brave, Opera, Vivaldi. Patched in Chrome 145.0.7632.75/76 (Win/Mac) and 144.0.7559.75 (Linux).

**Story 2 — Semantic Kernel RCE: CVE-2026-26030 (CVSS 9.9)**

A critical remote code execution vulnerability in Microsoft's Semantic Kernel Python SDK — specifically in the InMemoryVectorStore filter functionality. CWE-94: Improper Control of Code Generation. Network-accessible with low attack complexity, low privilege required, and zero user interaction needed. If you're building AI applications with RAG, AI agents, or semantic search using Semantic Kernel, this one hits close to home. Patched in python-1.39.4. Microsoft's workaround: avoid using InMemoryVectorStore in production until patched.

**Story 3 — Cline Supply Chain Attack**

On February 17, 2026, someone compromised Cline's npm publish token and pushed a malicious update (Cline CLI v2.3.0) that silently installed OpenClaw — a self-hosted autonomous AI agent — on every developer machine that pulled the update. The attack chain started when researcher Adnan Khan discovered a prompt injection vulnerability in Cline's AI-powered GitHub issue triage bot. The attacker used GitHub Actions cache poisoning to pivot from the triage workflow to the release pipeline, leaking npm publication credentials. Cline patched the prompt injection within 30 minutes but rotated the wrong token. Eight days later, the still-valid token was used to publish the compromised package. It was live for ~8 hours and downloaded roughly 4,000 times. Fixed in v2.4.0; publishing moved to OIDC via GitHub Actions.

**Story 4 — PromptSpy: First Android Malware Using Generative AI at Runtime**

ESET researchers discovered PromptSpy — the first known Android malware to use Google's Gemini AI model during its execution flow. Traditional Android malware relies on hardcoded tap coordinates and UI selectors that break across different devices. PromptSpy solves this by taking an XML dump of the current screen and sending it to Gemini, which returns JSON instructions telling the malware exactly where to tap. It uses this loop to pin itself in the recent apps list, persisting across reboots. Primary payload: a built-in VNC module for full remote device access. Also captures lockscreen PINs, records unlock patterns as video, and blocks uninstallation with invisible overlays. Distributed via a site impersonating JPMorgan Chase targeting Argentina. Chinese language strings found in codebase. Not on Google Play; Google Play Protect detects known variants.

**Story 5 — 600 FortiGate Firewalls Breached via AI-Assisted Campaign**

Amazon Threat Intelligence revealed a Russian-speaking, financially motivated threat actor used multiple commercial AI tools to compromise 600+ FortiGate firewall devices across 55 countries in just 5 weeks (Jan 11–Feb 18, 2026). No zero-days — just exposed management interfaces and weak credentials with single-factor auth. The attacker extracted full device configs (SSL-VPN creds, network topology, IPsec settings), then fed that data into a custom system called ARXON that queried LLMs including DeepSeek and Claude to generate attack plans. Post-exploitation included DCSync attacks against Active Directory, lateral movement via pass-the-hash and pass-the-ticket, NTLM relay attacks, and targeting of Veeam Backup servers — consistent with ransomware preparation. No ransomware was actually deployed. The attacker's staging server (212[.]11[.]64[.]250) was publicly accessible, exposing AI-generated attack plans and victim configs. As Amazon CISO CJ Moses put it: organizations need to anticipate that AI-augmented threat activity will continue to grow from both skilled and unskilled adversaries.

---

### 📋 Key Takeaways

1. **Update your browsers.** Chrome's first zero-day of 2026 is patched (CVE-2026-2441). A crafted web page is all it takes. This applies to Chrome, Edge, Brave, and every Chromium-based browser.

2. **AI development tooling is now a high-value target.** A CVSS 9.9 in Microsoft's Semantic Kernel and a supply chain attack on Cline — if you're building with AI tools, their security is now part of your threat model.

3. **Supply chain security isn't just about dependencies — it's about your CI/CD pipeline.** The Cline attack started with a GitHub issue title that manipulated an AI triage bot. If you're using AI automation in build pipelines, treat those AI agents as privileged actors that need governance.

4. **AI is being weaponized on both sides.** PromptSpy uses Gemini for malware persistence; the FortiGate campaign used AI to generate attack plans and execute tools autonomously. This is operational, not theoretical.

5. **Fundamentals still win.** Six hundred firewalls breached — not with zero-days, but with weak passwords and exposed management interfaces. MFA, credential hygiene, network segmentation, and patching remain the most effective defenses.

---

### 📚 Sources

**Story 1 — Chrome Zero-Day (CVE-2026-2441)**

- The Hacker News: https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html

- BleepingComputer / Malwarebytes: https://www.malwarebytes.com/blog/news/2026/02/update-chrome-now-zero-day-bug-allows-code-execution-via-malicious-webpages

- Help Net Security: https://www.helpnetsecurity.com/2026/02/16/google-patches-chrome-vulnerability-with-in-the-wild-exploit-cve-2026-2441/

- The Register: https://www.theregister.com/2026/02/16/chromes_zeroday/

- SOCRadar: https://socradar.io/blog/cve-2026-2441-chrome-0-day-sandbox-code-execution/

- Google Chrome Release Blog: https://chromereleases.googleblog.com

**Story 2 — Semantic Kernel RCE (CVE-2026-26030)**

- GitHub Security Advisory: https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26030

- The Hacker Wire: https://www.thehackerwire.com/vulnerability/CVE-2026-26030/

**Story 3 — Cline Supply Chain Attack**

- The Hacker News: https://thehackernews.com/2026/02/cline-cli-230-supply-chain-attack.html

- The Register: https://www.theregister.com/2026/02/20/openclaw_snuck_into_cline_package

- Dark Reading: https://www.darkreading.com/application-security/supply-chain-attack-openclaw-cline-users

- Snyk (Clinejection Analysis): https://snyk.io/blog/cline-supply-chain-attack-prompt-injection-github-actions/

- Endor Labs: https://www.endorlabs.com/learn/supply-chain-attack-targeting-cline-installs-openclaw

- Adnan Khan's Research: https://adnanthekhan.com/2026/02/09/clinejection/

**Story 4 — PromptSpy Android Malware**

- ESET / WeLiveSecurity: https://www.welivesecurity.com/en/eset-research/promptspy-ushers-in-era-android-threats-using-genai/

- The Hacker News: https://thehackernews.com/2026/02/promptspy-android-malware-abuses-google.html

- BleepingComputer: https://www.bleepingcomputer.com/news/security/promptspy-is-the-first-known-android-malware-to-use-generative-ai-at-runtime/

- SecurityWeek: https://www.securityweek.com/promptspy-android-malware-abuses-gemini-ai-at-runtime-for-persistence/

- ESET Press Release: https://www.eset.com/us/about/newsroom/research/eset-research-discovers-promptspy-first-android-threat-using-genai/

**Story 5 — FortiGate AI-Assisted Campaign**

- Amazon / AWS Security Blog: https://aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/

- The Hacker News: https://thehackernews.com/2026/02/ai-assisted-threat-actor-compromises.html

- BleepingComputer: https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/

- The Record: https://therecord.media/gen-ai-fortigate-hackers-russia

- SecurityWeek: https://www.securityweek.com/hundreds-of-fortigate-firewalls-hacked-in-ai-powered-attacks-aws/

- Security Affairs: https://securityaffairs.com/188351/hacking/ai-powered-campaign-compromises-600-fortigate-systems-worldwide.html

---

### ⚖️ Disclaimer

The content presented by Exploit Brokers by Forgebound Research is for educational and informational purposes only. Cipherceval is a cybersecurity educator and commentator — not your personal security consultant, legal counsel, or professional advisor. The information shared here reflects publicly available research, industry reporting, and the host's personal perspective. It does not constitute professional security consulting or individualized guidance for your specific environment. Always consult with qualified professionals for decisions affecting your systems and security posture.