A newly uncovered cybersecurity threat has revealed that at least 3.2 million users have been affected by malicious browser extensions masquerading as legitimate utilities. A cluster of 16 extensions—ranging from screen capture tools to ad blockers and emoji keyboards—was identified as injecting malicious code into users’ browsers. According to GitLab Threat Intelligence, these extensions facilitate advertising fraud and search engine optimization (SEO) manipulation, while also posing a significant risk of data exfiltration and potential initial access for further cyber intrusions.
The attack chain employed by the threat actor is multistage and highly sophisticated, designed to evade detection while compromising browser security. GitLab’s report notes: “The threat actor uses a complex multistage attack to degrade the security of users’ browsers and then inject content, traversing browser security boundaries and hiding malicious code outside of extensions.”
The attack appears to have begun in July 2024, with the threat actor acquiring access to legitimate extensions rather than compromising them outright. The report suggests that the original developers may have transferred ownership of the extensions to the attacker, unknowingly providing a direct path for malicious updates.
By December 2024, the attack escalated into a supply chain compromise involving phishing attacks on developer accounts, allowing attackers to push malicious updates via the Chrome Web Store. These updates introduced scripts that exfiltrated HTTP header data and DOM content, leveraging dynamic configurations stored remotely.
While the extensions delivered their advertised features, a common malicious framework was embedded across them. The GitLab investigation uncovered consistent service worker functionality, including:
- Configuration checks on installation, transmitting the extension version and a unique ID to a remote server.
- Modification of browser security policies, particularly by stripping the Content Security Policy (CSP) header from the first 2,000 websites visited per session.
- Persistent heartbeat signals to refresh configuration data and maintain a connection with the attacker’s command-and-control (C2) infrastructure.
GitLab warns that CSP removal significantly weakens browser security, making users vulnerable to cross-site scripting (XSS) attacks and other injection-based exploits.
“This routine completely removes Content Security Policy protections for users of the malicious extensions. The Content Security Policy serves an important function in preventing Cross Site Scripting attacks and an extension degrading this protection without informed consent from users is a clear breach of Chrome Web Store Program Policies,” the report warns.
Analysis of the malicious extensions’ infrastructure revealed a network of dedicated configuration servers, each linked to a specific extension. Examples include:
| Extension Name | Configuration Server |
|---|---|
| Blipshot (Screenshots) | blipshotextension[.]com |
| Emojis Keyboard | emojikeyboardextension[.]com |
| Nimble Capture | api.nimblecapture[.]com |
| Adblocker for Chrome | abfc-extension[.]com |
| KProxy | kproxyservers[.]site |
The configuration servers leveraged BunnyCDN and DigitalOcean’s Apps Platform, using consistent x-do-app-origin headers, indicating that the attacker deployed all configurations via a single cloud-based application.
Further, some scripts associated with the attack were also found embedded within phishing kits targeting organizations, suggesting a possible connection between the attackers and cyber intrusion actors involved in credential theft campaigns.
The attackers ensured long-term persistence through dynamic script injection. The rcx-cd-v3.js payload used an advanced JavaScript obfuscation technique to execute code within the browser. This payload enabled modifications to network requests, including:
- Bypassing CORS restrictions by executing requests within the service worker.
- Altering ad-blocking rules to allow advertising domains while blocking Microsoft’s tracking services.
- Injecting iframes and background tabs with malicious content, especially for victims visiting Amazon product pages in European regions.
GitLab’s researchers suspect that these activities support click fraud campaigns, SEO manipulation, and even potential sensitive data theft.
Google was notified in January 2025 and has since removed all identified malicious extensions from the Chrome Web Store. However, removal from the store does not trigger automatic uninstalls. Users who previously installed any of these extensions must manually delete them from their browsers.
Related Posts:
- Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users
- New Chrome and Firefox malicious extensions prevent user removal to hijack browsers
- Malicious Chrome Extension Infects Over 100,000 Users
- Zero-Day Vulnerability: 18 Years of Exploiting the ‘0.0.0.0’ Flaw
