Sophisticated Phishing Campaign Targets Chrome Extension Developers
A new phishing campaign is actively targeting Chrome extension developers, impersonating official Chrome Web Store copyright enforcement notices to steal Google account credentials. The attack, discovered by Malwarebytes, aims to compromise widely used browser extensions by exploiting developer trust and urgency.
The campaign begins with a highly personalized "copyright removal request," falsely claiming an extension faces takedown within 48 hours. Victims are directed to a fake "Chrome Web Store Developer Policy Center" hosted on attacker-controlled domains, such as dmca-chrome-extensions[.]click. The phishing page dynamically retrieves publicly available extension metadata including names, icons, and listing details to craft a convincing, tailored takedown notice. Fake elements like complaint numbers, submission dates, and a countdown timer heighten pressure, discouraging victims from verifying the claim through official channels.
At the final stage, a realistic Google sign-in interface appears, complete with branding and a spoofed accounts.google.com URL. However, the window is embedded within the malicious page, and credentials entered are immediately captured. Key red flags include the inability to move the login window outside the browser and the persistent display of the phishing domain in the address bar.
Compromised developer accounts pose severe risks. Attackers could inject malicious code into extensions, distribute trojanized updates, or access sensitive resources, potentially impacting millions of users. This campaign mirrors broader trends of targeting developer ecosystems, similar to past attacks on platforms like GitHub and YouTube.
Google does not issue policy enforcement notices via third-party sites legitimate alerts appear only in the official Chrome Web Store developer dashboard. Security experts advise developers to verify alerts directly through official channels, scrutinize browser address bars, and use strong authentication methods like passkeys or hardware security keys. Suspected compromises should prompt immediate password resets, session revocations, and extension audits.
The attack demonstrates advanced social engineering, combining real-time data harvesting with psychological manipulation to deceive even technically savvy users.
Source: https://gbhackers.com/fake-chrome-web-store-copyright/
Google TPRM report: https://www.rankiteo.com/company/googlefordevelopers
"id": "goo1780561773",
"linkid": "googlefordevelopers",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Potentially millions of '
'extension users',
'industry': 'Software Development, Browser Extensions',
'name': 'Chrome Extension Developers',
'type': 'Individuals/Developers'}],
'attack_vector': 'Email (Phishing), Fake Websites',
'data_breach': {'data_exfiltration': 'Credentials captured via phishing page',
'personally_identifiable_information': 'Google account '
'credentials',
'sensitivity_of_data': 'High (Account credentials, Developer '
'access)',
'type_of_data_compromised': 'Google account credentials, '
'Extension metadata'},
'description': 'A new phishing campaign is actively targeting Chrome '
'extension developers, impersonating official Chrome Web Store '
'copyright enforcement notices to steal Google account '
'credentials. The attack aims to compromise widely used '
'browser extensions by exploiting developer trust and urgency. '
"The campaign uses highly personalized 'copyright removal "
"requests' with fake takedown notices and dynamically "
'retrieves extension metadata to craft convincing phishing '
'pages. Compromised developer accounts could lead to malicious '
'code injection, trojanized updates, or access to sensitive '
'resources, impacting millions of users.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected extensions and developers',
'data_compromised': 'Google account credentials, Extension '
'metadata',
'identity_theft_risk': 'High (Google account credentials)',
'operational_impact': 'Potential malicious code injection into '
'extensions, Trojanized updates',
'systems_affected': 'Chrome extension developer accounts, Browser '
'extensions'},
'initial_access_broker': {'entry_point': 'Phishing email with fake copyright '
'removal request',
'high_value_targets': 'Chrome extension developers'},
'lessons_learned': 'Developers should verify alerts through official '
'channels, scrutinize browser address bars, and use strong '
'authentication methods like passkeys or hardware security '
'keys. The attack demonstrates advanced social engineering '
'combining real-time data harvesting with psychological '
'manipulation.',
'motivation': 'Credential Theft, Malicious Code Distribution',
'post_incident_analysis': {'corrective_actions': 'Improved authentication '
'methods, Developer '
'education on phishing '
'risks, Enhanced '
'verification processes for '
'official notices',
'root_causes': 'Exploitation of developer trust, '
'Social engineering, Lack of '
'verification of official notices'},
'recommendations': ['Verify policy enforcement notices directly through the '
'official Chrome Web Store developer dashboard',
'Scrutinize browser address bars for phishing domains',
'Use strong authentication methods (e.g., passkeys, '
'hardware security keys)',
'Reset passwords and revoke sessions if compromise is '
'suspected',
'Audit extensions for unauthorized changes'],
'references': [{'source': 'Malwarebytes'}],
'response': {'remediation_measures': 'Password resets, Session revocations, '
'Extension audits'},
'title': 'Sophisticated Phishing Campaign Targets Chrome Extension Developers',
'type': 'Phishing',
'vulnerability_exploited': 'Social Engineering, Trust Exploitation'}