More than 100 Chrome browser extensions masquerading as legitimate tools, including YouTube, Fortinet VPN, Calendly, and DeepSeek AI, have been utilized to enable browser data compromise and remote script execution as part of a new attack campaign, BleepingComputer reports.
Threat actors created fake websites with included "Add to Chrome" buttons, which redirected to the Chrome Web Store entries downloading the phony extensions, an analysis from DomainTools revealed. Further examination of the "fortivpn" extension showed that it not only pilfered cookies and altered network traffic but also enabled arbitrary JavaScript execution, which could result in account takeovers and backdoor injections. "The Chrome Web Store has removed multiple of the actor's malicious extensions after malware identification. However, the actor's persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements," said DomainTools researchers, who called on users to download extensions made by reputable publishers.
Threat actors created fake websites with included "Add to Chrome" buttons, which redirected to the Chrome Web Store entries downloading the phony extensions, an analysis from DomainTools revealed. Further examination of the "fortivpn" extension showed that it not only pilfered cookies and altered network traffic but also enabled arbitrary JavaScript execution, which could result in account takeovers and backdoor injections. "The Chrome Web Store has removed multiple of the actor's malicious extensions after malware identification. However, the actor's persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements," said DomainTools researchers, who called on users to download extensions made by reputable publishers.
