35 Google Chrome Extensions Hacked

A massive phishing campaign has compromised at least 35 Google Chrome extensions, collectively used by approximately 2.6 million users, injecting malicious code to steal sensitive information from unsuspecting victims.

Early indicators suggest that the hackers employed deceptive emails, posing as official notifications from Google Chrome Web Store Developer Support, to trick extension publishers into granting attackers OAuth permissions over their projects.

Fake Notification

By doing so, the threat actors bypassed multi-factor authentication measures and gained the ability to upload new, compromised versions of these Chrome extensions.

Security researchers report that the compromises range from popular virtual private network (VPN) tools to AI-powered browser integrations and productivity add-ons.

According to multiple incident disclosures, the malicious code specifically attempts to extract user session tokens, cookies, and credentials for social media accounts, particularly Facebook Ads dashboards.

One primary target of this campaign is corporate accounts with access to paid advertising features. Investigations also uncovered hard-coded command and control (C2) domains in the malicious JavaScript files, enabling the attackers to download configurations remotely and exfiltrate private user data.

Cyberhaven, a California-based data protection company, was among the first to confirm the breach. The company disclosed that on Christmas Eve, a phishing attack compromised an employee’s credentials, allowing hackers to publish a malicious version of their Chrome extension (version 24.10.4).

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Among the affected extensions are “AI Assistant,” “VPNCity,” “Reader Mode,” and “Web Mirror,” along with at least 30 other known browser tools. In several documented proofs of concept, once activated, the compromised code sends details of user sessions or cookies back to attacker-controlled servers.

Initially, it was observed that 16 Chrome Extensions were hijacked, but further analysis reveals that 35 extensions installed by 2,600,000 users were compromised.

35 Affected Extensions

Extension NameStatusVersion / Identifier
Where is Cookie?Not yet addressedemedckhdnioeieppmeojgegjfkhdlaeo
Web MirrorNot yet addressedeaijffijbobmnonfhilihbejadplhddo
ChatGPT AppNot yet addressedlbneaaedflankmgmfbmaplggbmjjmbae
Hi AINot yet addressedhmiaoahjllhfgebflooeeefeiafpkfde
Web3Password ManagerNot yet addressedpdkmmfdfggfpibdjbbghggcllhhainjo
YesCaptcha assistantNot yet addressed[email protected]
Bookmark Favicon ChangerAddressed5.1 / [email protected]
Proxy SwitchyOmega (V3)Not yet addressed[email protected]
GraphQL Network InspectorAddressed2.22.7 / [email protected]
AI AssistantRemoved from storebibjgkidgpfbblifamdlkdlhgihmfohh
Bard AI chatRemoved from storepkgciiiancapdlpcbppfkmeaieppikkk
ChatGPT for Google MeetRemoved from storeepdjhgbipjpbbhoccdeipghoihibnfja
Search Copilot AI Assistant for ChromeRemoved from storebbdnohkpnbkdkmnkddobeafboooinpla
TinaMindAddressed2.14.0 / befflofjcniongenjmbkgkoljhgliihe
Wayin AIAddressed0.0.11 / cedgndijpacnfbdggppddacngjfdkaca
VPNCityNot yet addressednnpnnpemnckcfdebeekibpiijlicmpom
Internxt VPNAddressed1.2.0 / dpggmcodlahmljkhlmpgpdcffdaoccni
Vidnoz FlexRemoved from storecplhlgabfijoiabgkigdafklbhhdkahj
VidHelperNot yet addressedegmennebgadmncfjafcemlecimkepcle
CastorusAddressed4.41 / mnhffkhmpnefgklngfmlndmkimimbphc
UvoiceNot yet addressedoaikpkmjciadfpddlpjjdapglcihgdle
Reader ModeNot yet addressedfbmlcbhdmilaggedifpihjgkkmdgeljh
ParrotTalksNot yet addressedkkodiihpgodmdankclfibbiphjkfdenh
PrimusAddressed3.20.0 / oeiomhmbaapihbilkfkhmlajkeegnjhe
Keyboard History RecorderNot yet addressedigbodamhgjohafcenbcljfegbipdfjpk
ChatGPT AssistantNot yet addressedbgejafhieobnfpjlpcjjggoboebonfcg
Reader ModeRemoved from storellimhhconnjiflfimocjggfjdlmlhblm
Visual Effects for Google MeetAddressed3.2.4 / hodiladlefdpcbemnbbcpclbmknkiaem
AI Shop BuddyNot yet addressedepikoohpebngmakjinphfiagogjcnddm
Cyberhaven V3 Security ExtensionAddressedpajkjnmeojmbapicmbpliphjmcekeaac
EarnyNot yet addressedoghbgbkiojdollpjbhbamafmedkeockb
Rewards Search AutomatorNot yet addressedeanofdhdfbcalhflpbdipkjjkoimeeod
TackkerAddressedekpkdmohpdnebfedjjfklhpefgpgaaji
Sort ByNot yet addressedmiglaibdlgminlepgeifekifakochlka
Email HunterNot yet addressedmbindhfolmpijhodmgkloeeppmkhpmhc

Many of these domains were found to have been registered and tested in earlier months, suggesting that the campaign may have begun as far back as March 2024.

Reports indicate that the total number of targeted extensions may exceed the 35 publicly confirmed so far as investigators continue analyzing newly discovered command and control subdomains.

The primary attack vector appears to be a sophisticated phishing email disguised as a compliance or violation notice from Google, alerting developers to “unnecessary details in the description” or “misleading metadata.”

When recipients clicked through, they were redirected to a seemingly legitimate Google login page for an application named “Privacy Policy Extension.” Granting access here allowed the attackers to assume control of the developers’ Chrome Web Store accounts, publish tampered updates, and push them directly to users without raising immediate suspicion.

Analysis of the malicious payloads suggests hackers were looking to harvest cookies from popular platforms, saving them to local storage and sending them off to external C2 servers.

Some evidence points to the exploitation of Facebook-related tokens and business marketing tools, though experts warn that secondary objectives around AI tools and corporate platforms could also be in play.

Security researchers advise users and organizations to uninstall or update these compromised extensions immediately. Official recommendations include resetting passwords, revoking active sessions, reviewing browser extension permissions, and monitoring unusual activity on personal and business accounts. Developers are urged to remain vigilant about phishing attempts and to enable robust application security checks.

While many extensions have been taken down or patched, the situation is still evolving. Users should frequently verify extension legitimacy, update browsers and plugins, and exercise caution when prompted with sudden policy violation messages purporting to be from Google.

Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.