Malicious Chrome Extensions and Phishing Campaign Target Developers
Severity: Medium (Score: 51.9)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: chrome, fake, store, copyright, notices, malicious, extensions
Severity indicators: ot, credentials
Summary
Over 50 malicious Chrome extensions masquerading as 'live wallpaper' utilities have been identified, impacting approximately 30,000 users through adware operations that hijack browser behavior. These extensions were distributed via the Chrome Web Store and third-party sites. Concurrently, a phishing campaign is targeting Chrome extension developers with counterfeit copyright removal notices, tricking them into providing their Google credentials on a fake sign-in page. This poses a significant risk to both developers and their users. The malicious extensions and phishing attempts highlight ongoing threats in the browser extension ecosystem. Current investigations are underway to mitigate these risks and protect affected users. Key Points: • 50+ malicious Chrome extensions affected around 30,000 users through adware. • Phishing campaign targets developers with fake copyright notices to steal credentials. • Both threats emphasize vulnerabilities in the Chrome extension ecosystem.
Detailed Analysis
**Impact** Over 30,000 users have been affected by more than 50 malicious Chrome extensions disguised as “live wallpaper” utilities, primarily distributed via the Chrome Web Store and third-party portals. Additionally, Chrome extension developers are targeted by a phishing campaign that compromises Google credentials, putting developer accounts and their users at risk. The affected sectors include software development and browser extension ecosystems, with no specific geographic concentration reported. **Technical Details** The adware operation hijacks browser behavior by pushing remote HTML content through malicious extensions distributed across at least three publisher accounts. The phishing campaign uses fake Chrome Web Store copyright removal notices to lure developers into entering credentials on counterfeit Google sign-in pages. No CVEs or specific malware names are provided. The attacks involve initial access and credential theft stages of the kill chain. **Recommended Response** Immediately audit installed Chrome extensions for suspicious “live wallpaper” utilities and remove any unverified or recently added extensions. Educate developers to verify official Chrome Web Store communications and avoid entering credentials on unsolicited sign-in pages. Deploy phishing detection and block known malicious URLs associated with the fake copyright notices. Monitor developer accounts for unauthorized access and enforce multi-factor authentication.
Source articles (2)
- 50+ Malicious Chrome Extensions Hit 30K Users — Gbhackers · 2026-06-03
50+ malicious Chrome extensions posing as “live wallpaper” utilities have been caught running an adware operation that hijacks browser behavior and quietly pushes remote HTML content to around 30,000… - Hackers Use Fake Chrome Web Store Copyright Notices to Steal Google Credentials — Cybersecuritynews · 2026-06-04
A new phishing campaign is targeting Chrome extension developers using fake copyright removal notices that look like official messages from the Chrome Web Store. The scam tricks developers into enteri…
Timeline
- 2026-06-03 — Malicious Chrome extensions identified: Over 50 extensions posing as 'live wallpaper' utilities were found to hijack browser behavior, impacting 30,000 users.
- 2026-06-04 — Phishing campaign targeting developers reported: Hackers used fake copyright removal notices to trick developers into revealing Google credentials on a counterfeit page.
Related entities
- Malware (Attack Type)
- Phishing (Attack Type)
- T1566 - Phishing (Mitre Attack)
- Google Chrome (Tool)