Cybersecurity researchers have recently discovered a serious security issue involving a Google Chrome extension that became malicious after its ownership was transferred to a new developer. The extension was originally considered safe and was used by many users for its normal functionality. However, after the ownership change, the extension began performing harmful activities inside users’ browsers. This incident shows how trusted software tools can become dangerous if they fall into the wrong hands.

Google Chrome extension puzzle concept illustrating security risks when browser extension ownership is transferred to a new developer.

According to security experts, the attack works through a two-stage process that allows attackers to misuse the extension’s permissions. Once the extension is installed in the browser, it can receive commands from remote servers controlled by the attackers. This gives the attackers the ability to influence the user’s browsing session. Through this access, they can monitor browsing activity or collect sensitive information.

In the first stage of the attack, the malicious extension gains control of the browser environment. Browser extensions often require permissions such as reading and modifying website data. While these permissions are necessary for many legitimate features, they can also be abused by attackers. With these permissions, the extension can observe web activity, capture information from pages, and manipulate website content.

Laptop displaying malware warning symbol representing a malicious browser extension infecting a user's system.

The second stage of the attack is more dangerous because it involves injecting malicious scripts. Researchers found that the compromised extension can deliver scripts that run on the user’s system. These scripts can modify web pages or perform actions beyond the browser. This allows attackers to expand the attack and potentially compromise the victim’s computer.

Security researchers say that such attacks can lead to serious data exposure. Browsers usually store important information such as session tokens, cookies, and login credentials. A malicious extension can collect this information and send it to attackers. Because many users trust browser extensions, this type of attack can remain unnoticed for a long time.

Cryptocurrency wallet phishing attack concept where malicious browser extensions target crypto users to steal wallet credentials.

During the investigation, researchers also discovered another suspicious Chrome extension called “lmToken Chromophore.” The extension claimed to be related to the popular cryptocurrency wallet imToken and presented itself as a simple color visualization tool. However, its real purpose was different. It redirected users to phishing websites designed to steal cryptocurrency wallet seed phrases and login details.

Researchers also noticed that some Chrome extensions previously removed from the Chrome Web Store had reappeared again. These extensions were earlier associated with collecting user conversations from various AI chatbots. The affected platforms included ChatGPT, Claude, Microsoft Copilot, DeepSeek, Google Gemini, Grok, Meta AI, and Perplexity. This raised new concerns about how browser extensions can access sensitive AI interactions.

Hacker using a laptop in a dark environment representing attackers remotely controlling compromised browser extensions.

This incident highlights the growing risk of supply-chain attacks in the browser extension ecosystem. When the ownership of a trusted extension changes, attackers may introduce malicious updates. Users who already trust the extension may continue using it without realizing the risk. Security experts recommend reviewing installed extensions regularly and removing any tools that are unnecessary or unfamiliar.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news