Hackers target dozens of VPN and AI extensions for Google Chrome to compromise data

Cybersecurity researchers have uncovered dozens of attacks that involve malicious updates for Chrome browser extensions, one week after a security firm was compromised in a similar incident.

As of Wednesday, a total of 36 Chrome extensions injected with data-stealing code have been detected, mostly related to artificial intelligence (AI) tools and virtual private networks (VPNs), according to a report by ExtensionTotal, a platform that analyzes extensions listed on various marketplaces and public registries.

These extensions, collectively used by roughly 2.6 million people, include third-party tools such as ChatGPT for Google Meet, Bard AI Chat, YesCaptcha Assistant, VPNCity and Internxt VPN. Some of the affected companies have already addressed the issue by removing the compromised extensions from the store or updating them, according to ExtensionTotal's analysis.

In the incident targeting security firm Cyberhaven last week, an unidentified threat actor compromised one of the startup's administrative accounts through a phishing email. This allowed the attacker to publish a new version of the extension containing malicious code.

The phishing email falsely claimed that Cyberhaven's extension was violating Google’s policies and was at risk of removal from the Chrome Web Store. According to Cyberhaven’s analysis of the incident, the primary goal of the campaign was to target Facebook Ads accounts and obtain victims' access tokens, user IDs and business and ad account information.

Subsequent reports revealed that other developers found additional extensions open to abuse, with the campaign also originating from similar phishing emails.

“The link in this email looks like the web store but leads to a phishing website designed to take control of your Chrome extension and likely update it with malware,” one developer wrote on the Google Groups forum.

Security researcher John Tuckner reported earlier that the campaign involved at least 29 Chrome extensions, potentially affecting over 2.5 million users. Some of these extensions may have targeted sensitive information across banking platforms and other apps, according to Tuckner.

It remains unclear whether all the compromised extensions are linked to the same threat actor. Google did not respond to a request for comment by the time of publication.

Security researchers warn that browser extensions “shouldn’t be treated lightly,” as they have deep access to browser data, including authenticated sessions and sensitive information. Extensions are also easy to update and often not subjected to the same scrutiny as traditional software.

ExtensionTotal recommends that organizations use only pre-approved versions of extensions and ensure they remain unchanged and protected from malicious automatic updates.

“Even when we trust the developer of an extension, it’s crucial to remember that every version could be entirely different from the previous one,” researchers said. “If the extension developer is compromised, the users are effectively compromised as well—almost instantly.”