Stanley malware bypasses Chrome Web Store checks, steals credentials

According to HackRead, a new crimeware toolkit named Stanley is being sold on Russian-language crime forums, enabling scammers to create sophisticated fake websites. Discovered by Varonis, this toolkit first appeared on January 12, 2026, and is offered by a seller using the alias Стэнли for prices ranging from $2,000 to $6,000.

Stanley is concerning because it functions as a full-featured service, with the most expensive version claiming to guarantee that malicious apps will pass the Chrome Web Store's security checks. This bypasses the usual advice of only installing extensions from official stores. The toolkit disguises itself as a note-taking tool called Notely. Once installed, it can display fake login pages over legitimate websites, while the browser's URL bar continues to show the correct domain. This allows attackers to steal credentials even when users believe they are on a secure site. The malware also uses real Chrome notifications to trick users into clicking dangerous links and tracks victims using their IP address, reportedly checking in with hackers every 10 seconds.

The discovery of Stanley highlights a growing trend of malicious extensions that are difficult to detect, even after passing official reviews. Varonis reported the threat to Google on January 21, 2026, and while the main server was taken offline, the extension remained active for longer. This situation underscores the need for users to regularly audit their browser extensions, remove unused tools, and be wary of extensions requesting broad permissions, as these tactics can be exploited by sophisticated malware like Stanley.

Source: HackRead