A massive phishing campaign has compromised at least 35 Google Chrome extensions, collectively used by approximately 2.6 million users, injecting malicious code to steal sensitive information from unsuspecting victims.
Early indicators suggest that the hackers employed deceptive emails, posing as official notifications from Google Chrome Web Store Developer Support, to trick extension publishers into granting attackers OAuth permissions over their projects.
By doing so, the threat actors bypassed multi-factor authentication measures and gained the ability to upload new, compromised versions of these Chrome extensions.
Security researchers report that the compromises range from popular virtual private network (VPN) tools to AI-powered browser integrations and productivity add-ons.
According to multiple incident disclosures, the malicious code specifically attempts to extract user session tokens, cookies, and credentials for social media accounts, particularly Facebook Ads dashboards.
One primary target of this campaign is corporate accounts with access to paid advertising features. Investigations also uncovered hard-coded command and control (C2) domains in the malicious JavaScript files, enabling the attackers to download configurations remotely and exfiltrate private user data.
Cyberhaven, a California-based data protection company, was among the first to confirm the breach. The company disclosed that on Christmas Eve, a phishing attack compromised an employee’s credentials, allowing hackers to publish a malicious version of their Chrome extension (version 24.10.4).
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Among the affected extensions are “AI Assistant,” “VPNCity,” “Reader Mode,” and “Web Mirror,” along with at least 30 other known browser tools. In several documented proofs of concept, once activated, the compromised code sends details of user sessions or cookies back to attacker-controlled servers.
Initially, it was observed that 16 Chrome Extensions were hijacked, but further analysis reveals that 35 extensions installed by 2,600,000 users were compromised.
35 Affected Extensions
| Extension Name | Status | Version / Identifier |
|---|---|---|
| Where is Cookie? | Not yet addressed | emedckhdnioeieppmeojgegjfkhdlaeo |
| Web Mirror | Not yet addressed | eaijffijbobmnonfhilihbejadplhddo |
| ChatGPT App | Not yet addressed | lbneaaedflankmgmfbmaplggbmjjmbae |
| Hi AI | Not yet addressed | hmiaoahjllhfgebflooeeefeiafpkfde |
| Web3Password Manager | Not yet addressed | pdkmmfdfggfpibdjbbghggcllhhainjo |
| YesCaptcha assistant | Not yet addressed | [email protected] |
| Bookmark Favicon Changer | Addressed | 5.1 / [email protected] |
| Proxy SwitchyOmega (V3) | Not yet addressed | [email protected] |
| GraphQL Network Inspector | Addressed | 2.22.7 / [email protected] |
| AI Assistant | Removed from store | bibjgkidgpfbblifamdlkdlhgihmfohh |
| Bard AI chat | Removed from store | pkgciiiancapdlpcbppfkmeaieppikkk |
| ChatGPT for Google Meet | Removed from store | epdjhgbipjpbbhoccdeipghoihibnfja |
| Search Copilot AI Assistant for Chrome | Removed from store | bbdnohkpnbkdkmnkddobeafboooinpla |
| TinaMind | Addressed | 2.14.0 / befflofjcniongenjmbkgkoljhgliihe |
| Wayin AI | Addressed | 0.0.11 / cedgndijpacnfbdggppddacngjfdkaca |
| VPNCity | Not yet addressed | nnpnnpemnckcfdebeekibpiijlicmpom |
| Internxt VPN | Addressed | 1.2.0 / dpggmcodlahmljkhlmpgpdcffdaoccni |
| Vidnoz Flex | Removed from store | cplhlgabfijoiabgkigdafklbhhdkahj |
| VidHelper | Not yet addressed | egmennebgadmncfjafcemlecimkepcle |
| Castorus | Addressed | 4.41 / mnhffkhmpnefgklngfmlndmkimimbphc |
| Uvoice | Not yet addressed | oaikpkmjciadfpddlpjjdapglcihgdle |
| Reader Mode | Not yet addressed | fbmlcbhdmilaggedifpihjgkkmdgeljh |
| ParrotTalks | Not yet addressed | kkodiihpgodmdankclfibbiphjkfdenh |
| Primus | Addressed | 3.20.0 / oeiomhmbaapihbilkfkhmlajkeegnjhe |
| Keyboard History Recorder | Not yet addressed | igbodamhgjohafcenbcljfegbipdfjpk |
| ChatGPT Assistant | Not yet addressed | bgejafhieobnfpjlpcjjggoboebonfcg |
| Reader Mode | Removed from store | llimhhconnjiflfimocjggfjdlmlhblm |
| Visual Effects for Google Meet | Addressed | 3.2.4 / hodiladlefdpcbemnbbcpclbmknkiaem |
| AI Shop Buddy | Not yet addressed | epikoohpebngmakjinphfiagogjcnddm |
| Cyberhaven V3 Security Extension | Addressed | pajkjnmeojmbapicmbpliphjmcekeaac |
| Earny | Not yet addressed | oghbgbkiojdollpjbhbamafmedkeockb |
| Rewards Search Automator | Not yet addressed | eanofdhdfbcalhflpbdipkjjkoimeeod |
| Tackker | Addressed | ekpkdmohpdnebfedjjfklhpefgpgaaji |
| Sort By | Not yet addressed | miglaibdlgminlepgeifekifakochlka |
| Email Hunter | Not yet addressed | mbindhfolmpijhodmgkloeeppmkhpmhc |
Many of these domains were found to have been registered and tested in earlier months, suggesting that the campaign may have begun as far back as March 2024.
Reports indicate that the total number of targeted extensions may exceed the 35 publicly confirmed so far as investigators continue analyzing newly discovered command and control subdomains.
The primary attack vector appears to be a sophisticated phishing email disguised as a compliance or violation notice from Google, alerting developers to “unnecessary details in the description” or “misleading metadata.”
When recipients clicked through, they were redirected to a seemingly legitimate Google login page for an application named “Privacy Policy Extension.” Granting access here allowed the attackers to assume control of the developers’ Chrome Web Store accounts, publish tampered updates, and push them directly to users without raising immediate suspicion.
Analysis of the malicious payloads suggests hackers were looking to harvest cookies from popular platforms, saving them to local storage and sending them off to external C2 servers.
Some evidence points to the exploitation of Facebook-related tokens and business marketing tools, though experts warn that secondary objectives around AI tools and corporate platforms could also be in play.
Security researchers advise users and organizations to uninstall or update these compromised extensions immediately. Official recommendations include resetting passwords, revoking active sessions, reviewing browser extension permissions, and monitoring unusual activity on personal and business accounts. Developers are urged to remain vigilant about phishing attempts and to enable robust application security checks.
While many extensions have been taken down or patched, the situation is still evolving. Users should frequently verify extension legitimacy, update browsers and plugins, and exercise caution when prompted with sudden policy violation messages purporting to be from Google.