GitLab researchers have discovered 16 malicious Chrome extensions that injected code to commit fraud and disable security measures against cross-site scripting (XSS).
More than 3.2 million users installed these extensions. Upon notification, Google removed them from the Chrome Web Store. In December 2024, attackers gained access to developers’ accounts via phishing and provided extensions with malicious code. At least 36 extensions were aimed at stealing Facebook login credentials.
GitLab analyzed multiple extensions and found 16 additional rogue ones that facilitated ad and search engine fraud and disabled the Content Security Policy (CSP). CSP is a crucial security measure against XSS attacks. Google removed these extensions from the store, but users must manually uninstall them.
Takeover of developer accounts
The attacker (aka “threat actor”) gained access through acquisition of developer accounts rather than a direct hack. Since July 2024, extensions have included Trojan code. The attack method weakens browser security and hides malicious code outside the extensions. The attack chain has been partially reproduced, and it is possible that the threat actor is also involved in phishing kits. The malicious extensions leaked sensitive information and potentially offered initial access to systems.
In December 2024, attackers carried out a software supply chain attack via compromised developer accounts. Malicious updates spread through the Chrome Web Store and exfiltrated data from HTTP headers and DOM content. GitLab discovered clusters of malicious extensions and reported them to Google, which removed them in January 2025.
The malicious extensions, which included emoji keyboards, adblockers and proxy tools, functioned normally but contained service worker code. When installed, they connected to a configuration server, sent information about versions and unique IDs, and stored received configurations locally.
Regular updates were initiated via an alert mechanism. Each Web request removed the CSP header, bypassing protection against XSS attacks. This tactic violates Chrome Web Store policies and leaves users vulnerable.
Wide operation by cybercriminals
Researchers discovered phishing kits hosting malicious scripts, such as a page posing as McGill University and a phishing kit for Swiss railroads SBB CFF FFS. The exact connection between the phishing kits and the threat actor is unclear, but there are strong indications that they are part of a broader cybercriminal operation.
This attack campaign is a large-scale threat to Web browsers, with significant risks to individuals and organizations. Because browsers process sensitive data, detection is difficult and attacks can be carried out quickly.
The misuse the Chrome Web Store update mechanism made this attack effective. Similar to the December 2024 supply chain attack, malicious code was distributed through updates. This incident highlights the risks of automatic browser extension updates, especially when control over extensions can change invisibly.