A massive phishing campaign has compromised at least 35 Google Chrome extensions, collectively used by approximately 2.6 million users, injecting malicious code to steal sensitive information from unsuspecting victims.Early indicators suggest that the hackers employed deceptive emails, posing as official notifications from Google Chrome Web Store Developer Support, to trick extension publishers into granting attackers [OAuth](https://cybersecuritynews.com/oauth-2-0/) permissions over their projects.  Fake NotificationBy doing so, the threat actors bypassed multi-factor authentication measures and gained the ability to upload new, compromised versions of these Chrome extensions.Security researchers report that the compromises range from popular [virtual private network (VPN)](https://cybersecuritynews.com/which-is-better-for-your-business-security/) tools to AI-powered browser integrations and productivity add-ons.According to multiple incident disclosures, the malicious code specifically attempts to extract user session tokens, cookies, and credentials for social media accounts, particularly Facebook Ads dashboards.One primary target of this campaign is corporate accounts with access to paid advertising features. Investigations also uncovered hard-coded command and control (C2) domains in the malicious JavaScript files, enabling the attackers to download configurations remotely and exfiltrate private user data.Cyberhaven, a California-based data protection company, was among the first to [confirm the breach](https://cybersecuritynews.com/cyberhaven-chrome-extension-hacked/). The company disclosed that on Christmas Eve, a [phishing attack](https://cybersecuritynews.com/phishing-attack/) compromised an employee’s credentials, allowing hackers to publish a malicious version of their Chrome extension (version 24.10.4).****Investigate Real-World Malicious Links, Malware -& Phishing Attacks With ANY.RUN — [Try for Free](https://app.any.run/?utm_source=csn&utm_medium=article&utm_campaign=malware_threats&utm_content=service&utm_term=261224)****Among the [affected extensions](https://www.extensiontotal.com/cyberhaven-incident-live) are ‘AI Assistant,’ ‘VPNCity,’ ‘Reader Mode,’ and ‘Web Mirror,’ along with at least 30 other known browser tools. In several documented proofs of concept, once activated, the compromised code sends details of user sessions or cookies back to attacker-controlled servers.Initially, it was observed that [16 Chrome Extensions](https://cybersecuritynews.com/hackers-hijacked-16-chrome-extensions/) were hijacked, but further analysis reveals that 35 extensions installed by 2,600,000 users were compromised.**35 Affected Extensions**————————–Extension Name Status Version / Identifier Where is Cookie? Not yet addressed emedckhdnioeieppmeojgegjfkhdlaeo Web Mirror Not yet addressed eaijffijbobmnonfhilihbejadplhddo ChatGPT App Not yet addressed lbneaaedflankmgmfbmaplggbmjjmbae Hi AI Not yet addressed hmiaoahjllhfgebflooeeefeiafpkfde Web3Password Manager Not yet addressed pdkmmfdfggfpibdjbbghggcllhhainjo YesCaptcha assistant Not yet addressed jiofmdifioeejeilfkpegipdjiopiekl@1.1.61 Bookmark Favicon Changer Addressed 5.1 / acmfnomgphggonodopogfbmkneepfgnh@4.00 Proxy SwitchyOmega (V3) Not yet addressed hihblcmlaaademjlakdpicchbjnnnkbo@3.0.2 GraphQL Network Inspector Addressed 2.22.7 / ndlbedplllcgconngcnfmkadhokfaaln@2.22.6 AI Assistant Removed from store bibjgkidgpfbblifamdlkdlhgihmfohh Bard AI chat Removed from store pkgciiiancapdlpcbppfkmeaieppikkk ChatGPT for Google Meet Removed from store epdjhgbipjpbbhoccdeipghoihibnfja Search Copilot AI Assistant for Chrome Removed from store bbdnohkpnbkdkmnkddobeafboooinpla TinaMind Addressed 2.14.0 / befflofjcniongenjmbkgkoljhgliihe Wayin AI Addressed 0.0.11 / cedgndijpacnfbdggppddacngjfdkaca VPNCity Not yet addressed nnpnnpemnckcfdebeekibpiijlicmpom Internxt VPN Addressed 1.2.0 / dpggmcodlahmljkhlmpgpdcffdaoccni Vidnoz Flex Removed from store cplhlgabfijoiabgkigdafklbhhdkahj VidHelper Not yet addressed egmennebgadmncfjafcemlecimkepcle Castorus Addressed 4.41 / mnhffkhmpnefgklngfmlndmkimimbphc Uvoice Not yet addressed oaikpkmjciadfpddlpjjdapglcihgdle Reader Mode Not yet addressed fbmlcbhdmilaggedifpihjgkkmdgeljh ParrotTalks Not yet addressed kkodiihpgodmdankclfibbiphjkfdenh Primus Addressed 3.20.0 / oeiomhmbaapihbilkfkhmlajkeegnjhe Keyboard History Recorder Not yet addressed igbodamhgjohafcenbcljfegbipdfjpk ChatGPT Assistant Not yet addressed bgejafhieobnfpjlpcjjggoboebonfcg Reader Mode Removed from store llimhhconnjiflfimocjggfjdlmlhblm Visual Effects for Google Meet Addressed 3.2.4 / hodiladlefdpcbemnbbcpclbmknkiaem AI Shop Buddy Not yet addressed epikoohpebngmakjinphfiagogjcnddm Cyberhaven V3 Security Extension Addressed pajkjnmeojmbapicmbpliphjmcekeaac Earny Not yet addressed oghbgbkiojdollpjbhbamafmedkeockb Rewards Search Automator Not yet addressed eanofdhdfbcalhflpbdipkjjkoimeeod Tackker Addressed ekpkdmohpdnebfedjjfklhpefgpgaaji Sort By Not yet addressed miglaibdlgminlepgeifekifakochlka Email Hunter Not yet addressed mbindhfolmpijhodmgkloeeppmkhpmhcMany of these domains were found to have been registered and tested in earlier months, suggesting that the campaign may have begun as far back as March 2024.Reports indicate that the total number of targeted extensions may exceed the 35 publicly confirmed so far as investigators continue analyzing newly discovered command and control subdomains.The primary attack vector appears to be a sophisticated [phishing](https://cybersecuritynews.com/phishing-attack/) email disguised as a compliance or violation notice from Google, alerting developers to ‘unnecessary details in the description’ or ‘misleading metadata.’When recipients clicked through, they were redirected to a seemingly legitimate Google login page for an application named ‘Privacy Policy Extension.’ Granting access here allowed the attackers to assume control of the developers’ Chrome Web Store accounts, publish tampered updates, and push them directly to users without raising immediate suspicion.Analysis of the malicious payloads suggests hackers were looking to harvest cookies from popular platforms, saving them to local storage and sending them off to external [C2 servers](https://cybersecuritynews.com/command-and-controlc2-server/).Some evidence points to the exploitation of Facebook-related tokens and business marketing tools, though experts warn that secondary objectives around AI tools and corporate platforms could also be in play.Security researchers advise users and organizations to uninstall or update these compromised extensions immediately. Official recommendations include resetting passwords, revoking active sessions, reviewing browser extension permissions, and monitoring unusual activity on personal and business accounts. Developers are urged to remain vigilant about phishing attempts and to enable robust application security checks.While many extensions have been taken down or patched, the situation is still evolving. Users should frequently verify extension legitimacy, update browsers and plugins, and exercise caution when prompted with sudden policy violation messages purporting to be from Google.The post [New Update — 35 Google Chrome Extensions Hacked to Inject Malicious Code](https://cybersecuritynews.com/35-google-chrome-extensions-hacked/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
Play
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 51 – Information
M1032 – Multi-factor Authentication
Blog: Cybersecurity News
Phishing: Spearphishing Attachment
Phishing
Associated Indicators: