Full Report
As of Wednesday, a total of 36 Chrome extensions injected with data-stealing code have been detected, mostly related to artificial intelligence tools and virtual private networks.
Analysis Summary
# Compromised Chrome Extensions Pushing Data-Stealing Code via Malicious Updates
## Key Points
- Dozens of Chrome browser extensions, primarily AI and VPN tools, have been found injecting data-stealing code through malicious updates.
- **36** compromised extensions have been detected by ExtensionTotal, impacting roughly **2.6 million** users collectively.
- Specific targeted assets include Facebook Ads accounts, aiming to obtain access tokens, user IDs, and business/ad account information.
- The campaign leverages developer account compromise via sophisticated phishing, leading to the publication of malicious updates that appear legitimate.
- Browser extensions pose a high risk due to their deep access to browser data, authenticated sessions, and the ease with which updates can be pushed without extensive scrutiny.
## Threat Actors
- The specific threat actor responsible for the entire campaign remains unidentified.
- The incident involving the security firm Cyberhaven was initiated by an unidentified threat actor compromising an administrative account via phishing.
- It remains unclear if all compromised extensions are linked to the same group.
## TTPs
- **Initial Access:** Phishing emails designed to look like official notices (e.g., Google policy violations) were used to trick extension developers into compromising their administrative accounts.
- **Account Takeover:** Attacker gained control of administrative accounts associated with developer consoles.
- **Malware Delivery:** Publishing malicious code within legitimate-appearing updates to existing popular Chrome extensions (AI tools, VPNs).
- **Data Exfiltration:** Targeting sensitive browser data, specifically Facebook Ads account credentials (access tokens, user IDs).
- **Phishing Infrastructure:** Use of lookalike phishing websites posing as the Chrome Web Store to capture credentials for extension control.
- **Potential Techniques:** Targeting sensitive information on banking platforms and other applications was also reported as a possibility.
## Affected Systems
- **Software Affected:** Google Chrome browser extensions.
- **Extension Categories:** Primarily Artificial Intelligence (AI) tools and Virtual Private Networks (VPNs).
- **Specific Examples:** ChatGPT for Google Meet, Bard AI Chat, YesCaptcha Assistant, VPNCity, and Internxt VPN.
- **Victims:** The collective user base of the 36 identified extensions (approximately 2.6 million people), including specific business accounts targeted via Facebook Ads.
## Mitigations
- Organizations should restrict the use of browser extensions to only **pre-approved versions**.
- Implement controls to ensure extensions remain unchanged or are protected from unauthorized automatic updates.
- Security awareness training must emphasize the danger of phishing emails aimed at developer/administrative accounts, especially those mimicking official communications like policy violation warnings.
- Assume that any developer compromise instantly jeopardizes all end-users of that extension, as updates can be instantly malicious.
## Conclusion
This campaign represents a significant supply chain risk leveraging the trust placed in popular browser extensions. The primary threat lies in developer account compromise followed immediately by the distribution of data-stealing malware through seemingly legitimate updates. Organizations must enforce strict policies regarding extension usage and verify the authenticity of developer communications intended to solicit account access or credential updates. Continuous monitoring for changes in extension behavior is critical given the speed at which malicious updates can be deployed.