The article details how a VSCode WebView vulnerability lets an attacker capture the OAuth token issued to github.dev, use keyboard‑event relay to install a malicious extension, and ultimately gain read‑write access to all of a victim’s private GitHub repositories, while also providing a PoC and mitigation steps.
Google unintentionally released a proof‑of‑concept for a Chromium bug that has lingered unfixed for 42 months, allowing attackers to keep Service Workers alive, turn browsers into silent botnet nodes, and potentially compromise millions of users before a patch arrives.
CVE‑2026‑40369 is an arbitrary kernel‑address write bug in ntoskrnl.exe that lets a low‑privilege attacker invoke NtQuerySystemInformation from the Chrome sandbox to gain SYSTEM rights on vulnerable Windows 11 and Server 2025 builds, with a fully functional PoC released on GitHub.
A new CVE‑2026‑33829 vulnerability in Windows' Snipping Tool lets attackers steal Net‑NTLM hash credentials via a malicious deep‑link URI, and a low‑skill PoC demonstrates the exploit while Microsoft’s April 14 2026 patch and mitigation steps are detailed.
