Google Chrome 146 introduces Device Bound Session Credentials (DBSC) for Windows on TPM-equipped devices, cryptographically binding session cookies to device hardware to counter infostealer-driven session hijacking techniques such as those used by LummaC2. This is a defensive capability announcement rather than a vulnerability; no immediate remediation action is required, but organizations should assess IdP readiness (Okta, Microsoft Entra) and device TPM coverage to plan for DBSC adoption. Until DBSC is universally active across the IdP and application stack, detection focus should remain on infostealer collection-stage indicators and anomalous session behavior post-authentication.