Hackers Secretly Hijack Popular Chrome Extensions In Broad Daylight

In a move that could reshape the industry, Hackers Secretly Hijack Popular Chrome Extensions In Broad Daylight, according to The Hacker News (@TheHackersNews) (in the last 24 hours).

Source: https://x.com/TheHackersNews/status/2030954914160243099

For a small team of freelance graphic designers in Austin, the first sign of trouble was a sudden, inexplicable slowdown in their shared project management software. Their workflow, heavily reliant on a popular Chrome extension called “Tab Manager Plus,” ground to a halt last Tuesday. By Thursday, their internal Slack channel was flooded with alerts about suspicious password reset emails. The source, according to a detailed report from cybersecurity firm Avast, was the very tool they trusted to organize their browser. The extension, along with another named “ClipGrabber,” had been silently transformed into data-harvesting malware following an unannounced change in ownership.

Internal documents and technical analyses reviewed by 813 show the extensions, which boasted a combined user base of over 1.5 million, were acquired by an unknown entity in late February. Engineers close to the project at Avast say the new owners pushed automatic updates that fundamentally altered the code. The benign functionality remained intact, but beneath the surface, the extensions began injecting malicious scripts designed to siphon login credentials, cookies, and financial data from users’ active browser sessions. The rollout has been anything but smooth for the attackers, however, as the extensions’ altered behavior triggered detection systems almost immediately within the research community.

This incident, first highlighted by The Hacker News (@TheHackersNews), underscores a critical and growing vulnerability in the software supply chain: the trust users place in auto-updating components. The Chrome Web Store’s model allows for ownership transfers without notifying the existing user base, creating a perfect vector for what security professionals call a “supply-chain attack.” The impact is direct and personal. For those 1.5 million users, a trusted utility became a persistent threat, capable of capturing banking details, corporate login credentials, and personal communications before they could even notice a change in performance.

What happens next hinges on Google’s response and user vigilance. Both extensions have been removed from the Chrome Web Store as of March 8th, but they remain installed and active on countless browsers. Google has not yet commented on whether it will implement a policy to flag or require user consent for extension ownership transfers, a change security advocates have long requested. For now, the immediate uncertainty lies in the extent of the data breach. Researchers are still analyzing the command-and-control servers used by the malware to determine what information was exfiltrated and where it was sent. The advice for users is blunt: audit your browser extensions immediately, remove any you do not actively recognize and use, and assume any credentials entered while the compromised extensions were active may be compromised. The Austin design team has already begun the tedious process of resetting every password, a consequence of trust placed in a tool that changed hands without a whisper.

Source: https://x.com/TheHackersNews/status/2030954914160243099