Shape-Shifting Browser Extensions Steal Credentials

Researchers at SquareX Labs have uncovered a new class of malicious browser extensions dubbed "polymorphic extensions." These extensions can impersonate legitimate extensions like password managers in real-time, tricking users into revealing sensitive credentials. The attack proceeds in four phases: distribution, reconnaissance, impersonation, and exploitation. Attackers distribute the malicious extension disguised as a useful tool on the Chrome Web Store. Once installed, it identifies target extensions and, upon use, temporarily disables the legitimate version, replacing it with a near-identical fake. Credentials are stolen and the legitimate extension is restored, leaving no obvious trace. Because the attack uses legitimate browser features, there's no easy fix, but SquareX suggests countermeasures like restricting sudden extension icon changes and enhancing permission monitoring.
Read more