Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites
24.12.2025
4343
Two Chrome extensions have been exposed for secretly harvesting login credentials from more than 170 websites, including major platforms like Google, GitHub, and Microsoft.
🚨 Chrome Extensions Gone Rogue: Stealing Your Logins Since... Yesterday?
Two Chrome extensions have been caught red-handed secretly harvesting login credentials from over 170 websites. This isn't just some random phishing attempt—this is your browser extensions turning against you.
The extensions—'PDF Toolbox' and 'Auto-Text Expander'—were discovered by cybersecurity researchers at McAfee. They've been operating under the radar, collecting usernames and passwords from major platforms including Google, GitHub, Microsoft, and financial institutions.
Here's how the attack works: The malicious extensions inject JavaScript into web pages to intercept form submissions. When you enter your credentials, they're captured before being sent to the legitimate server. The stolen data is then transmitted to a command-and-control server controlled by the attackers.
- • Targets over 170 websites including major platforms
- • Uses JavaScript injection to intercept form submissions
- • Transmits stolen credentials to attacker-controlled servers
- • Operates through seemingly legitimate Chrome extensions
The extensions were cleverly disguised as legitimate tools. 'PDF Toolbox' claimed to offer PDF conversion features, while 'Auto-Text Expander' promised text expansion capabilities. Both had thousands of downloads before being exposed.
This attack represents a sophisticated supply chain compromise. The extensions were originally legitimate but were later updated with malicious code. Users who installed the clean versions initially received malicious updates without their knowledge.
These extensions demonstrate how attackers can compromise the software supply chain to distribute malware through trusted channels.
The attack uses a man-in-the-browser technique, where malicious code runs within the browser context to intercept sensitive data. This bypasses many traditional security measures since the malicious activity occurs within what appears to be legitimate browser processes.
Google has removed both extensions from the Chrome Web Store, but users who already installed them need to manually remove them. The extensions may have been active for months before detection, potentially compromising numerous accounts.
- • Check if you have 'PDF Toolbox' or 'Auto-Text Expander' installed
- • Remove any suspicious extensions immediately
- • Change passwords for affected accounts
- • Enable two-factor authentication where available
- • Monitor accounts for suspicious activity
This incident highlights the growing threat of supply chain attacks targeting browser extensions. With millions of users trusting these add-ons, a single compromised extension can affect thousands of victims across multiple organizations.
Enterprise security teams should implement extension management policies, whitelist approved extensions, and monitor for unusual network traffic from browser processes. Individual users should regularly audit their installed extensions and remove anything unnecessary or suspicious.
#Chrome extensions#supply chain attacks#malware#credentials#man-in-the-browser
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
