Today we’re speaking with Dominic Jainy, an IT professional whose work at the intersection of artificial intelligence and security gives him a unique perspective on the evolving digital threat landscape. As businesses lean more heavily on web browsers for everything from SaaS applications to generative AI, these critical gateways have become a focal point for cyberattacks. We’ll explore the alarming dominance of browser-based malware, the hidden risks lurking in extensions and AI tools, the erosion of trust in so-called privacy software, and the frantic race to patch critical flaws before they’re exploited.
One report found that browser-based malware accounted for 70% of all observed malware events. What specific types of attacks are driving this statistic, and can you walk us through the typical lifecycle of a browser-based threat, from initial employee contact to organizational impact?
That 70% figure is staggering, and it truly underscores how the browser has become the new battleground. It’s not one single type of attack, but a whole ecosystem. We’re seeing everything from malicious ad injections and session hijacking to credential harvesters embedded in rogue extensions. The lifecycle often starts with something deceptively simple: an employee clicks on a compromised link or downloads a seemingly legitimate file. The initial malware is often lightweight, designed to execute silently within the browser’s environment. From that small foothold, it begins to probe. It might steal saved cookies to impersonate the user in other corporate systems, or it could quietly install a more persistent threat, like a keylogger. The real danger is how it turns a trusted tool—the browser—into an insider threat, exfiltrating sensitive data or moving laterally across the network, all under the guise of normal user activity.
With GenAI now reportedly causing 32% of corporate data exfiltration, and extensions called the “largest unmanaged supply chain,” what practical, step-by-step process should a security team implement to audit extensions and monitor employee interactions with AI tools to mitigate these specific risks?
The phrase “largest unmanaged supply chain” is chillingly accurate. Organizations have spent years securing their software supply chain but have often ignored the dozens of third-party extensions running with high privileges inside their browsers. The first step is to get visibility. You can’t manage what you can’t see, so a security team must begin with a comprehensive inventory of every extension installed across the enterprise. Next comes risk assessment: analyze the permissions each extension requests. Does a simple note-taking app really need to read data from every website you visit? Create a strict allow-list of vetted, necessary extensions and block everything else. For GenAI, which the data shows is a massive vector for data loss, the approach must be similar. We need to implement robust data loss prevention (DLP) policies that monitor and control what information employees are pasting into chatbots. That 32% statistic is a clear signal that employees are moving sensitive corporate data into these personal or public AI tools, and we have to treat that flow of data with extreme scrutiny.
The Urban VPN extension, marketed for privacy, was found harvesting AI chatbot conversations. Considering this was disclosed in its privacy policy, how should organizations re-evaluate the trust they place in third-party tools, and what specific red flags should they look for beyond marketing claims?
The Urban VPN case is a perfect, and frankly terrifying, example of why marketing claims mean absolutely nothing in security. The trust model is broken. Organizations must operate on a “distrust and verify” basis for every single third-party tool, especially those that are free. The fact that this data harvesting was buried in a privacy policy isn’t a defense; it’s a deliberate deception. The biggest red flag is a conflict of interest. A VPN company affiliated with a data broker like BiScience should set off immediate alarm bells. Other red flags include overly broad permission requests—a VPN should not need to inject scripts into your web pages. Finally, look at the business model. If a product that requires significant infrastructure is free, you have to ask yourself: how are they making money? More often than not, the user’s data is the real product being sold.
Apple and Google recently patched critical zero-day flaws like CVE-2025-14174. When such a vulnerability is announced, could you detail the immediate response protocol for a large company, including the key challenges in deploying patches across a hybrid workforce before exploits become widespread?
When a critical zero-day in something as ubiquitous as WebKit is announced, it’s an all-hands-on-deck emergency. The first action is immediate triage and communication. The security team must rapidly identify every affected device—in this case, every iPhone, iPad, and Mac—and communicate the urgency to the entire organization. For corporate-managed devices, we initiate a forced patch deployment through management tools. You cannot wait for users to click “update later.” The biggest challenge, without a doubt, is the hybrid workforce. With personal devices or employees working from remote networks, you lose that centralized control. This is where network access control becomes vital. We can configure the network to block access to corporate resources from any device that hasn’t installed the patch. It’s a race against time, because as the article notes, these flaws might have already been actively exploited in targeted attacks, meaning you’re already behind from the moment the patch is released.
Malware like the Cellik RAT can steal browser autofill data and is easily available as a service. How has this accessible malware-as-a-service model changed the threat for mobile users, and what concrete defensive habits should individuals adopt to protect against such threats?
The malware-as-a-service model has completely democratized cybercrime. An advanced tool like the Cellik RAT, which offers full device control and can steal browser data, is available for as little as $150 a month. This means you no longer need to be a skilled hacker to launch a devastating attack; any low-skilled attacker can now rent sophisticated capabilities. This dramatically increases the volume and unpredictability of threats. For individuals, this new reality demands heightened vigilance. First, never, ever sideload applications from untrusted sources. Second, be extremely stingy with browser autofill. It’s convenient to save your credit card and address, but it creates a centralized treasure trove for malware to steal in one go. Finally, scrutinize app permissions. If an app asks for more access than it needs to perform its basic function, deny it. Treat every permission request as a potential vector for compromise.
What is your forecast for the evolution of browser-based threats over the next two years?
I believe we’re on the cusp of a major escalation. The browser is no longer just a target; it’s the entire operating environment. Over the next two years, I predict we’ll see AI-driven attacks become the norm, with malware that can craft hyper-personalized phishing attacks in real time, directly within a browser session. The extension ecosystem will become an even more intense battleground, with supply chain attacks targeting popular extensions to infect millions of users at once. Most concerningly, I foresee malware evolving beyond simple data theft to actively manipulate business processes through the browser. Imagine a threat that doesn’t just steal credentials but uses them to log into a SaaS platform and subtly alter financial records or approve fraudulent transactions. The browser is the new endpoint, and the threats will become smarter, more integrated, and far more damaging.