
Image credit: Zapier
A newly discovered cybersecurity threat is targeting Google Chrome users through polymorphic browser extensions, which can impersonate legitimate ones and steal sensitive credentials.
The research team at SquareX uncovered how these malicious extensions operate and the severe risks they pose to users, including password managers, crypto wallets, and banking applications.
“The polymorphic extensions create a pixel perfect replica of the target’s icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension,” said SquareX in a published report.
Also read: 16 Chrome Extensions Hacked, You Need to Uninstall Right Away
How the Attack Works
Polymorphic extensions exploit Chrome’s browser extension ecosystem by temporarily replacing a legitimate extension with a fake one.
Attackers create and publish a disguised extension (e.g., an AI marketing tool) on the Chrome Web Store. They use social engineering tactics, such as social media promotions, to trick users into installing it.
Users are prompted to pin the extension during installation for a “better experience.” The extension initially operates normally while gathering intelligence on the victim’s installed extensions.
This allows attackers to harvest credentials without raising suspicion. They prioritize extensions linked to valuable assets such as password managers, crypto wallets, and banking apps.
The rise of polymorphic extensions highlights the evolving tactics cybercriminals use to compromise user security.
While Google must enhance its extension policies, users must adopt proactive security measures to prevent such attacks.
Always verify the legitimacy of browser extensions, limit unnecessary permissions, and use security tools to monitor browser activity.