Dangerous Chrome extensions mimic password managers

Now, security researchers have discovered a polymorphic attack that allows malicious Chrome extensions to transform into other browser extensions, including password managers, crypto wallets and banking apps, to steal sensitive information.

Keep reading to learn how this attack works and how to protect yourself from it.

The attack starts with hackers uploading what looks like a harmless extension to the Chrome Web Store. It might even have real features, like an AI-powered marketing tool, to convince users to install and pin it to their browser.

Once installed, the malicious extension scans the victim's browser for other extensions. It can do this in two ways. If it has permission to use the "chrome.management" API, it grabs a list of installed extensions directly. If not, it injects code into web pages to check for unique files or resources tied to certain extensions.

If it finds a targeted extension, like 1Password, the malicious extension reports back to an attacker-controlled server. The attacker then tells it to impersonate the real extension by disabling it if permissions allow, changing its name and icon and displaying a fake login popup that looks just like the real thing.

To steal user credentials, the malicious extension triggers a fake "Session Expired" prompt when the victim tries to log in to a website. This tricks them into thinking they need to reenter their credentials for their password manager or banking app. When they do, the stolen data is sent straight to the attackers.

After collecting the credentials, the extension switches back to its original form. It restores the legitimate extension, making everything look normal so the victim doesn't suspect anything. This shows just how dangerous malicious Chrome extensions can be and why stronger security measures are needed to protect users.

We reached out to Google, and a spokesperson told CyberGuy, "We appreciate the work of the research community and we've received the report. We are constantly investing in ways to improve the security of the Chrome Web Store, and we take appropriate action when we learn of emerging threats."

Here are five ways to safeguard your sensitive information and maintain your online privacy.

2. Install extensions only from trusted sources: Official browser stores like the Chrome Web Store or Firefox Add-ons have rules and scans to catch bad actors, but they're not perfect. Extensions from random websites or third-party downloads are far more likely to hide malware or spyware. Stick to the official store for your browser; don't download extensions from sketchy links. 

The malicious extension highlights that Google isn't doing enough to keep malware off its platform. Security researchers pointed out that the Chrome Web Store lacks protections against these types of attacks, such as blocking sudden changes to an extension's icon or HTML, or at least alerting users when such changes occur. The problem isn't limited to the Chrome Web Store. The Play Store also hosts malicious apps from time to time, affecting millions of users. Google needs to step up its security efforts and put user privacy front and center.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com. All rights reserved.