An unknown threat actor has been creating malicious Chrome extensions since February 2024, disguising them as useful utilities while secretly stealing data and executing malicious commands. These extensions are linked to fake websites impersonating legitimate services, exploiting excessive permissions, and using cloaking techniques to bypass security policies. #ChromeExtensions #DataExfiltration
Keypoints
- The threat actor has developed over 100 fake Chrome extensions that mimic legitimate tools and services.
- Malicious extensions can perform credential theft, session hijacking, ad injection, and phishing through DOM manipulation.
- The extensions are configured with excessive permissions, allowing broad interaction with visited websites and arbitrary code execution.
- Fake websites impersonate popular services like DeepSeek, DeBank, and FortiVPN to lure users into installation.
- Google has removed the malicious extensions, but users are advised to verify extensions from trusted sources and review permissions carefully.
Read More: https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html