A coordinated campaign involving at least 16 malicious Chrome extensions has compromised over 3.2 million users globally.
These extensions, masquerading as legitimate tools such as screen capture utilities and ad blockers, have been exploiting browser vulnerabilities to execute advertising fraud and manipulate search engine optimization (SEO).
Discovered by GitLab Threat Intelligence in February 2025, the malicious extensions have been active since at least July 2024.
The threat actors behind this campaign are believed to have acquired access to some of these extensions from their original developers. Subsequently, injecting malicious code to hijack user sessions and degrade browser security.
This sophisticated attack chain involves multiple stages, including the use of service workers to communicate with unique configuration servers, enabling the dynamic fetching and execution of obfuscated JavaScript payloads from remote servers.
A particularly concerning aspect of this attack is the manipulation of the Content Security Policy (CSP). By deploying service workers to strip CSP headers from the first 2,000 websites visited per session, the attackers create a permissive environment for malicious activities, allowing for the injection of unauthorized scripts and content.
This degradation of browser security facilitates a range of malicious activities, including the modification of network request filtering rules, manipulation of search engine results, and injection of iframes with remote content, particularly targeting e-commerce platforms in specific regions.
Despite their removal from the Chrome Web Store, these malicious extensions continue to pose a threat to users who have not manually uninstalled them. It is imperative for users to review their installed Chrome extensions and remove any suspicious or unrecognized ones.
Regularly updating extensions and exercising caution when granting permissions can help mitigate such risks. This incident underscores the importance of vigilance when managing browser extensions, as even legitimate tools can become compromised and pose significant security threats.
In light of this breach, cybersecurity experts recommend that users adopt a proactive approach to browser security. This includes regularly auditing installed extensions, staying informed about potential threats, and employing reputable security tools to detect and prevent malicious activities.
