Massive Attack Compromises at Least 36 Google Chrome Extensions

New details have emerged about a phishing campaign targeting Chrome extension developers. It turns out that the attacks led to the compromise of at least 36 extensions, which were subsequently injected with data-stealing code.

In late December 2024, it was reported that the extension from Swiss cybersecurity startup Cyberhaven, along with at least four other Chrome extensions, had been targeted by unknown hackers. According to Cyberhaven experts at the time, the attackers may have stolen confidential user data from the compromised extensions, including cookies and session information.

It has now become clear that the scale of the attack was somewhat broader than initially thought. According to the latest data, developers of at least 36 extensions—used by more than 2,600,000 people—were affected by similar breaches.

Based on reports from developers on LinkedIn and Google Groups, the malicious campaign began as early as December 5, 2024. However, it was discovered that the attackers’ control domains had existed since March 2024.

How the Attack Worked

The attacks on developers started with phishing emails using domains such as supportchromestore[.]com, forextensions[.]com, and chromeforextension[.]com. The emails were crafted to appear as official messages from Google, claiming that the extension was violating Chrome Web Store policies and could soon be removed. Developers were urged to believe that their product descriptions contained inaccurate information and that they needed to agree to the Chrome Web Store policy.

If a developer clicked the embedded “Go To Policy” button in the email to find out which rules they had allegedly violated, they were taken to a legitimate Google login page for a malicious OAuth application. This page is part of Google’s standard authorization process and is intended to grant third-party apps access to certain account resources.

The attackers had published a malicious OAuth app on the platform called “Privacy Policy Extension,” which asked the victim to grant permission to manage Chrome Web Store extensions through their account.

Why Security Measures Failed

Multi-factor authentication (MFA) did not help protect accounts in this case, since direct approval is not required and OAuth assumes the user fully understands the permissions and consequences involved.

“Our employee followed the standard process and inadvertently authorized a malicious third-party application,” explained a report on the attack published by the affected company, Cyberhaven. “The employee had Google Advanced Protection and MFA enabled on their account. However, the employee did not receive any MFA prompts. The employee’s Google credentials were not compromised.”

What Happened After the Breach

Once the attackers gained access to a developer’s account, they modified the extension by injecting two malicious files (worker.js and content.js) containing code to steal Facebook* account data. The compromised extension was then published in the Chrome Web Store as a new version.

According to Extension Total, 36 extensions fell victim to these attacks, but indicators of compromise suggest that many more developers may have been affected by unknown attackers.

Data from VirusTotal shows that the attackers pre-registered domains for targeted extensions, even if those extensions were not ultimately attacked. While most domains were created in November and December 2024, Bleeping Computer reports that hackers were testing these attacks as early as March 2024.

What the Malicious Code Did

The injected malicious code aimed to obtain the extension user’s Facebook ID, access token, account information, ad account details, and business account data. The code also added a listener for mouse click events specifically on Facebook.com* and searched for images of QR codes related to two-factor authentication or CAPTCHA mechanisms. All stolen information was eventually sent to the hackers’ command-and-control server.

According to journalists, Facebook business accounts are typically used by hackers to make direct payments from victims’ credit accounts, run disinformation or phishing campaigns on the platform, or can be monetized directly by selling access to third parties.

*Facebook is a registered trademark of Meta Platforms, Inc.