Blog
Deep dives on browser security, isolation, and the ideas behind Bromure.
Your coding agent installed the fake Bitwarden
On April 22, somebody uploaded a malicious npm package called @bitwarden/[email protected] — a typosquat that swept SSH keys, AWS/Azure/GCP credentials, GitHub tokens, npm publish tokens, and kubeconfigs out of any machine that ran it. The thing it was designed to feed on is the same thing modern coding agents do without thinking: install whatever npm hands back. Here is what that chain looks like, and what changes when the agent runs inside a Bromure VM instead of on your laptop.
The call is coming from inside the helpdesk
A new extortion crew called BlackFile has been calling retail and hospitality employees, pretending to be IT, walking them into typing credentials and OTPs into a fake corporate login page, and then registering its own MFA device on the real account. The phone call is unaffected by anything a browser does. The page the user types into is not.
A Roblox cheat, an OAuth grant, and a $2M Vercel leak
The Vercel breach disclosed this week started with a Context.ai employee downloading Roblox exploits on a personal PC, and ended with an attacker reading Vercel's customer environment variables. Bromure Enterprise, shipped this week, is built for exactly this chain.
The phishing page that built itself
Cisco Talos's Q1 2026 IR report puts phishing back on top as an initial-access vector and, inside it, documents the first case Talos attributes to an AI "vibe-coding" builder — an Outlook Web Access clone stood up on a *.softr.app subdomain, exfiltrating credentials to a disposable Google Sheet. URL reputation can't see this one coming. The right answer is down-stack.
Assume the renderer falls — what Mozilla's 271 AI-found bugs mean for browser security
An early version of Claude Mythos helped Mozilla find 271 security bugs in a single Firefox release. The right reaction is not panic, and not celebration — it is a quiet recalibration of what we still have to assume about every browser we ship, use, or build on top of.
The clipboard is the exploit — where ClickFix leaves every defender
A fake CAPTCHA writes a PowerShell one-liner to the clipboard. The user presses Win+R and pastes. No sandbox escape, no zero-day, no signed binary required — the human is the exploit. Here is what we ship against it today, where the gaps still are, and what Apple got right and wrong in macOS 26.4.
The nine-step attack that dies at step one
Microsoft documented a nine-stage ransomware chain that begins with an external Teams message impersonating the helpdesk and ends with Rclone quietly exfiltrating the network share. Eight of those nine steps need the host operating system. None of them can run against a tab.
When the store is the threat — 108 malicious Chrome extensions, one C2, 20,000 installs
A single operator pushed 108 malicious extensions onto the Chrome Web Store under five fake publishers, collected around 20,000 installs, and routed the lot to one command-and-control server. The review model didn't catch it. Here is why a security-first browser has to take a harder position.
How Bromure stops phishing before it reaches your parents
A step-by-step look at Bromure's anti-phishing — the local sweep, the model, the verdict, and why your parents, your grandparents, and the neighbor across the hall are exactly who we built it for.
LinkedIn's BrowserGate, and why one browser identity is no longer enough
LinkedIn quietly probes for 6,000+ browser extensions, harvests 48 device attributes, and pulls your LAN IP via WebRTC on every visit. The fix is not a privacy setting — it is a different shape of browser.
Trust by design — the philosophy behind Bromure
The web is hostile, security advice is failing, and AI has changed the rules. Here's why we built a browser that takes the weight off your shoulders.
Why browser zero-days are not going away, and what Bromure does about it
Apple and Google now spend tens of millions of dollars a year finding and fixing browser bugs. There are still eight to ten actively-exploited browser zero-days every year. This post lays out why that math does not change, how Claude Mythos and the "Vulnpocalypse" are about to make it worse, and why a browser built to assume it will be breached is a different kind of product.
How Bromure blocks ads before the page ever sees them
Most ad blockers are browser extensions, and most browser extensions run inside the same process as the page they are trying to protect you from. Bromure does it differently. Here is how, and why it matters.
How modern ransomware gets in — and how Bromure shuts the door
Most ransomware does not start with a zero-day. It starts with a browser tab. Here is how the attack chain actually works in 2026 — and what it looks like when it lands on a browser that was built to absorb the hit.
Running a VPN inside Bromure — and a plain-language primer on Cloudflare WARP
What a VPN actually does, what it doesn't do, why running one per profile inside Bromure changes the anonymity story, and a tour of how Cloudflare WARP works under the hood.