Remove These Extensions Now! Hackers Hijack Google Chrome Add-ons for Fraud

A new cybersecurity breach has put over 3.2 million Google Chrome users at risk after hackers hijacked popular browser extensions, injecting malicious scripts and redirecting web traffic for fraud. This Google Chrome extensions cyberattack, which researchers believe was executed through a supply chain compromise, allowed cybercriminals to exploit trusted extensions and distribute harmful updates without users realizing it.

The Google Chrome Extensions cyberattack: What Happened?

A total of 16 widely used Google Chrome extensions, including ad blockers, emoji keyboards, and screen capture tools, were identified as compromised. These extensions, which initially appeared legitimate, were later updated with obfuscated scripts designed to steal data, modify HTTP requests, and inject unauthorized advertisements. This meant that millions of unsuspecting users had already been granted permissions that enabled attackers to manipulate web activity in real time.

List of Affected Chrome Extensions:

• Blipshot (One-Click Full Page Screenshots)
• Emojis – Emoji Keyboard
• WAToolkit
• Color Changer for YouTube
• Video Effects for YouTube and Audio Enhancer
• Themes for Chrome and YouTube™ Picture in Picture
• Mike Adblock für Chrome | Chrome-Werbeblocker
• Page Refresh
• Wistia Video Downloader
• Super Dark Mode
• Emoji Keyboard Emojis for Chrome
• Adblocker for Chrome – NoAds
• Adblock for You
• Adblock for Chrome
• Nimble Capture
• KProxy

How Did This Happen?

Cybersecurity researchers traced the attack back to compromised developer accounts, where hackers either obtained access through phishing schemes or tricked developers into transferring control of their extensions. Once in control, the attackers pushed malicious updates through the Chrome Web Store, bypassing traditional security checks.

The cyberattack on the Google Chrome extension is reminiscent of past supply chain breaches, where cybercriminals exploit trusted software to distribute malware. Because browser extension updates happen automatically, users had no indication that their trusted tools had been weaponized against them.

How the Malicious Extensions Worked

Security experts found that these extensions contained hidden service worker functionality that performed the following actions:

• Checked in with a remote server on installation, transmitting extension details and a unique identifier.
• Stored configuration data in local storage, with updates periodically pushed by the attackers.
• Injected malicious scripts into websites to steal data and manipulate browser activity.
• Stripped security protections from visited websites by removing Content Security Policy headers, increasing the risk of further malware infections.
• Monitored browser sessions to reload tabs and maintain persistence.

Risks to Users

The compromised extensions could:

• Steal sensitive data such as login credentials, browsing history, and personal information.
• Modify search engine results to redirect users to malicious or affiliate-linked pages for monetary gain.
• Inject harmful advertisements into websites, further exposing users to scams and potential phishing attacks.
• Bypass browser security settings, making it easier for attackers to install additional malware on a user’s device.

What Google Chrome Users Should Do

While Google has removed these extensions from the Chrome Web Store, they will not be automatically uninstalled from users’ browsers. If you have installed any of the affected extensions, follow these steps immediately:

1. Remove Suspicious Extensions

• Open Google Chrome and go to Settings > Extensions or type chrome://extensions/ in the address bar.
• Look for any of the affected extensions listed above.
• Click Remove and confirm the action.

2. Reset Browser Settings

To ensure no residual malware remains in your browser:

• Open Chrome settings and go to Reset settings under Advanced.
• Click Restore settings to their original defaults and confirm.

3. Check for Unauthorized Activity

• Review your saved passwords and accounts for any unauthorized access.
• Change passwords for critical accounts, especially if you used autofill while using the compromised extensions.
• Enable two-factor authentication (2FA) for additional security.

4. Install Trusted Security Software

• Use a reliable antivirus or anti-malware solution to scan your system for any remaining threats.
• Consider using a password manager to avoid storing credentials in your browser.

Lessons Learned: How to Stay Safe from Malicious Extensions

Browser extensions can enhance your online experience, but they can also pose significant risks. Here are some best practices to stay safe:

• Regularly Audit Installed Extensions – Periodically review which extensions you have installed and remove any that you no longer use.
• Check Permissions Before Installing – Only install extensions that request minimal permissions. Be wary of those asking for extensive access to your browsing data.
• Research Before Downloading – Don’t rely solely on high ratings. Read recent reviews and search for security reports on any extension before installation.
• Enable Browser Security Features – Use Chrome’s built-in security tools to limit extension permissions and prevent unauthorized activity.
• Keep Your Browser Updated – Ensure that Chrome is always up to date to benefit from the latest security patches.

This large-scale cyberattack highlights the growing risks associated with browser extensions and the ease with which attackers can exploit them. With cybercriminals targeting even well-known and trusted extensions, users must remain vigilant and proactive in protecting their online security.

By following best practices and staying informed about cybersecurity threats, you can minimize risks and maintain a safer browsing experience.