Deep dives on browser security, isolation, and the ideas behind Bromure.
Bromure runs two on-device classifiers over everything its coding agent reads. Prompt injection in tool output and web fetches is handled by Meta's Llama Prompt Guard 2. A rogue CLAUDE.md needs a different model entirely — injection detection fires on every line of a file that is meant to be all instructions — so we fine-tuned ModernBERT to classify harm instead. This is the full pipeline: harvesting a benign corpus, synthesizing malicious examples, clause-level windowing, the training loop, and the ONNX export, in enough detail to reproduce.
A sandbox asks a developer to trade away the speed that makes a coding agent worth running — pre-approve every dependency, maintain an allowlist of domains, never touch a package the org hasn't vetted. So developers turn it off. Bromure Agentic Coding refuses that trade. It does not constrain what the agent does; it draws one hard line at the hypervisor and lets you do anything on the inside. This is the foundational case for why a boundary beats a sandbox, and the three guarantees the boundary makes true: no credentials to steal, wide tokens narrowed at the wire, and supply-chain attacks stopped before the tarball lands — plus the fourth the line now makes true: prompt injections caught in the content the agent reads, before the model obeys them.
On June 5–6, 2026, the Miasma worm pushed credential-stealing code into 73 repositories across four of Microsoft's own GitHub organizations — Azure, Azure-Samples, microsoft, MicrosoftDocs — including Azure/functions-action, the official deploy Action, and durabletask, a repo that had already been cleaned once in May. This time the payload did not wait for npm install. It fired the moment a developer opened the repository in Claude Code, Cursor, Gemini CLI, or VS Code. Here is why the trust signal — 'it's a Microsoft repo' — was again the attack surface, and what changes when the agent that opens it lives in a per-profile Bromure VM, behind a credential broker, a read-write guardrail, and a package cooldown.
In late April, a Cursor agent running Claude Opus 4.6 was sent to fix a staging problem at a small SaaS called PocketOS. It guessed that deleting a Railway volume would be scoped to staging, didn't verify, and wiped the production database and its backups in nine seconds. It later said it should have asked first. Bromure Agentic Coding 2.2 ships a guardrail that takes 'should have asked' out of the agent's hands.
A zero-day in github.dev let a malicious preview pane reach out of its sandbox, silently install an extension, and read a GitHub OAuth token with access to every private repo the victim could touch. The fix is honest about its limits — the sharper move is to never bring your token to a stranger's repo in the first place.
Between late May and June 1, 2026, a worm called Miasma pushed credential-stealing code into 32 packages under the @redhat-cloud-services npm scope — Red Hat's own namespace, ~117,000 weekly downloads, signed by Red Hat's real publishing pipeline. There was no typosquat to catch and no unknown maintainer to flag. The trust signal was the vendor's name on the scope, and the vendor's name is exactly what the attacker rode in on. Here is why 'prefer reputable publishers' stopped being a defense, and what changes when the agent running the install lives in a per-profile Bromure VM.
A new campaign rents the trust of a domain you already believe in. A Google ad sends you to a real chatgpt.com share link, the share link shows a fake outage notice, and the notice hands you malware. Here is how the trust gets borrowed — and why the borrowing stops mattering when the whole thing happens inside a VM you throw away.
Google accidentally republished a four-year-old Chromium bug last week — a service worker that keeps running JavaScript after the browser closes, on every major Chromium browser, still unpatched. The proof-of-concept is now in the wild. The interesting question is not how it works. It is what "persistence" means on a browser whose entire underlying machine ceases to exist when you close the tab.
On May 18, 2026, Lasso Security disclosed two attacks against Nvidia's NemoClaw — the sandbox that runs the OpenClaw autonomous coding agent. The sandbox worked the way Nvidia said it did. The agent inside the sandbox still pushed the user's GitHub token to an attacker-controlled pull request, encoded as emoji to slip past GitHub's static secret scanner. The interesting question isn't whether the sandbox is broken. It's whether a sandbox with a plaintext credential file inside it was ever a sandbox in the architecturally useful sense, and what the answer implies for everyone shipping a coding agent in 2026.
Sometime in the week of May 11, 2026, the people behind Shai-Hulud — the self-replicating npm supply-chain worm that has been eating maintainer accounts since September 2025 — leaked their own source code. By the weekend, OX Security had found four typosquatted npm packages under one account, one of which is a near-verbatim copy of the leaked worm, another of which is a Golang DDoS bot, and the other two are plain infostealers shipping SSH keys and crypto wallets to bargain-bin C2s. The fork floor of supply-chain attacks just got a lot lower, and the people most likely to install one of these packages are no longer human.
Uber burned its full-year 2026 AI coding budget by April. The CTO went back to the drawing board — not because the tools were bad, but because nobody could tie a single dollar of token spend to a single shipped change. The agents are fine. The visibility layer is the problem. Here is what that looks like, and what changes when every agent session is a structured record instead of a wall of scrollback.
On May 11, 2026, an npm worm called Mini Shai-Hulud added an optionalDependencies line to 42 packages in the @tanstack namespace. Installing any of them ran a Bun script that grabbed an OIDC token from the GitHub Actions environment, used it to publish more compromised versions with valid SLSA provenance, copied itself into .claude/ for the next time the coding agent started, and exfiltrated everything from ~/.aws to your crypto wallet. The packages were signed. The attestation was valid. Here is what the chain looks like, and what changes when the agent that ran the install lives inside a per-task Bromure VM.
Apple shipped macOS Tahoe 26.5 on May 11, 2026, with roughly seventy security fixes including ten WebKit vulnerabilities. We walk through the WebKit list one CVE class at a time and ask the only question that matters in 2026 — what does this bug actually reach, on a machine running Bromure?
On April 22, somebody uploaded a malicious npm package called @bitwarden/[email protected] — a typosquat that swept SSH keys, AWS/Azure/GCP credentials, GitHub tokens, npm publish tokens, and kubeconfigs out of any machine that ran it. The thing it was designed to feed on is the same thing modern coding agents do without thinking: install whatever npm hands back. Here is what that chain looks like, and what changes when the agent runs inside a Bromure VM instead of on your laptop.
A new extortion crew called BlackFile has been calling retail and hospitality employees, pretending to be IT, walking them into typing credentials and OTPs into a fake corporate login page, and then registering its own MFA device on the real account. The phone call is unaffected by anything a browser does. The page the user types into is not.
The Vercel breach disclosed this week started with a Context.ai employee downloading Roblox exploits on a personal PC, and ended with an attacker reading Vercel's customer environment variables. Bromure Enterprise, shipped this week, is built for exactly this chain.
Cisco Talos's Q1 2026 IR report puts phishing back on top as an initial-access vector and, inside it, documents the first case Talos attributes to an AI "vibe-coding" builder — an Outlook Web Access clone stood up on a *.softr.app subdomain, exfiltrating credentials to a disposable Google Sheet. URL reputation can't see this one coming. The right answer is down-stack.
An early version of Claude Mythos helped Mozilla find 271 security bugs in a single Firefox release. The right reaction is not panic, and not celebration — it is a quiet recalibration of what we still have to assume about every browser we ship, use, or build on top of.
A fake CAPTCHA writes a PowerShell one-liner to the clipboard. The user presses Win+R and pastes. No sandbox escape, no zero-day, no signed binary required — the human is the exploit. Here is what we ship against it today, where the gaps still are, and what Apple got right and wrong in macOS 26.4.
Microsoft documented a nine-stage ransomware chain that begins with an external Teams message impersonating the helpdesk and ends with Rclone quietly exfiltrating the network share. Eight of those nine steps need the host operating system. None of them can run against a tab.
A single operator pushed 108 malicious extensions onto the Chrome Web Store under five fake publishers, collected around 20,000 installs, and routed the lot to one command-and-control server. The review model didn't catch it. Here is why a security-first browser has to take a harder position.
A step-by-step look at Bromure's anti-phishing — the local sweep, the model, the verdict, and why your parents, your grandparents, and the neighbor across the hall are exactly who we built it for.
LinkedIn quietly probes for 6,000+ browser extensions, harvests 48 device attributes, and pulls your LAN IP via WebRTC on every visit. The fix is not a privacy setting — it is a different shape of browser.
The web is hostile, security advice is failing, and AI has changed the rules. Here's why we built a browser that takes the weight off your shoulders.
Apple and Google now spend tens of millions of dollars a year finding and fixing browser bugs. There are still eight to ten actively-exploited browser zero-days every year. This post lays out why that math does not change, how Claude Mythos and the "Vulnpocalypse" are about to make it worse, and why a browser built to assume it will be breached is a different kind of product.
Most ad blockers are browser extensions, and most browser extensions run inside the same process as the page they are trying to protect you from. Bromure does it differently. Here is how, and why it matters.
Most ransomware does not start with a zero-day. It starts with a browser tab. Here is how the attack chain actually works in 2026 — and what it looks like when it lands on a browser that was built to absorb the hit.
What a VPN actually does, what it doesn't do, why running one per profile inside Bromure changes the anonymity story, and a tour of how Cloudflare WARP works under the hood.