A large-scale attack campaign has compromised at least 35 Chrome browser extensions, exposing over 2.6 million users to data theft and credential exposure. Threat actors targeted extension publishers through phishing, gaining access to upload malicious versions that stole cookies, access tokens, and identity data. Cyberhaven, the first to report the attack, revealed its extension was compromised on December 24, 2024, with malicious code exfiltrating user data via a command-and-control server. The campaign involved phishing emails posing as Google support, tricking developers into granting permissions to malicious OAuth apps. Further investigation uncovered numerous compromised extensions, with some containing hidden data-harvesting code from monetization SDKs. While Google has removed several extensions, the threat persists as compromised versions remain active on user devices, highlighting the critical need for stronger browser extension security.

‍