Thursday, May 8, 2025
HomeChromeWidespread Chrome Malware: 16 Extensions Infect Over 3.2 Million Users

Widespread Chrome Malware: 16 Extensions Infect Over 3.2 Million Users

Published on

SIEM as a Service

Follow Us on Google News

A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have compromised at least 3.2 million users.

These extensions, which include functionalities like screen capture, ad blocking, and emoji keyboards, were found to inject code into browsers, facilitating advertising and search engine optimization fraud.

The threat actor behind this campaign is believed to have acquired access to some of these extensions from their original developers rather than through a compromise, and has been trojanizing extensions since at least July 2024.

- Advertisement - Google News

Malicious Operations

The malicious extensions operate by checking in with unique configuration servers, transmitting extension versions and hardcoded IDs, and storing configuration data locally.

They also create alarms to refresh this data periodically and degrade browser security by stripping Content Security Policy (CSP) protections.

This allows the threat actor to inject obfuscated JavaScript payloads into web pages, potentially leading to sensitive information leakage and unauthorized access.

The extensions were identified to use Bunny CDN infrastructure and DigitalOcean Apps for their configuration servers, with consistent headers indicating a single Express application.

Impact

The threat actor’s attack chain involves a complex multistage process that has not been fully replicated.

However, it is known that the malicious extensions can modify network filtering rules to make automated requests appear organic, block tracking services, and allow advertising domains.

According to the GitLab Report, this sophisticated campaign poses a significant threat to users and organizations, as it exploits the trust in the Chrome Web Store and the automatic update mechanism of browser extensions.

Following the discovery, Google was notified, and all identified extensions have been removed from the Chrome Web Store.

However, users must manually uninstall these extensions as removal from the store does not trigger automatic uninstalls.

Recommendations for individuals include being cautious with extension permissions and regularly reviewing installed extensions.

Organizations are advised to implement application controls restricting extension installations and monitor for changes in extension permissions or ownership.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

organizations and security professionals need powerful tools to track, analyze, and understand both the...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

organizations and security professionals need powerful tools to track, analyze, and understand both the...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...