Sophisticated Phishing Campaign Targets Chrome Extension Developers with Fake Copyright Notices
A new phishing campaign is impersonating the Chrome Web Store to trick extension developers into surrendering their Google credentials. The attack, uncovered by Malwarebytes, sends fake copyright infringement notices that closely mimic official Google communications, complete with a 48-hour countdown to appeal creating urgency to bypass scrutiny.
The scam leverages publicly available details about legitimate extensions, including their names, icons, and store listings, to craft highly personalized fake complaints. Victims are directed to a spoofed "Chrome Web Store Developer Policy Center" hosted on dmca-chrome-extensions[.]click, where a convincing but fraudulent Google sign-in window harvests credentials. The fake login page even adapts its appearance based on the victim’s operating system (Mac or Windows) and includes a padlock icon and accounts.google.com branding to appear authentic.
If successful, attackers could hijack developer accounts to distribute malicious updates to thousands of unsuspecting users. The campaign stands out for its precision, using real extension data to exploit trust rather than generic phishing tactics.
Developers are advised to verify notices directly through the Chrome Web Store dashboard, avoid clicking links in unsolicited emails, and enable two-factor authentication (preferably with hardware keys) to mitigate risks. Those who may have fallen victim should immediately reset their Google password, revoke active sessions, and audit their extensions for unauthorized changes.
The phishing domain dmca-chrome-extensions[.]click has been identified as the primary indicator of compromise.
Source: https://cybersecuritynews.com/hackers-use-fake-chrome-web-store-copyright-notices/
Google TPRM report: https://www.rankiteo.com/company/google
Chrome Extension Developers TPRM report: https://www.rankiteo.com/company/google-chrome
"id": "googoo1780561453",
"linkid": "google, google-chrome",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Thousands of Unsuspecting Users '
'(Potential)',
'industry': 'Software Development, Browser Extensions',
'location': 'Global',
'name': 'Chrome Extension Developers',
'type': 'Individuals/Developers'}],
'attack_vector': 'Email (Fake Copyright Infringement Notices)',
'customer_advisories': 'Developers are advised to verify notices directly '
'through the Chrome Web Store dashboard, avoid '
'clicking links in unsolicited emails, and enable '
'two-factor authentication.',
'data_breach': {'personally_identifiable_information': 'Google Account '
'Credentials',
'sensitivity_of_data': 'High (Account Access, Potential for '
'Malicious Updates)',
'type_of_data_compromised': 'Credentials (Google Account)'},
'description': 'A new phishing campaign is impersonating the Chrome Web Store '
'to trick extension developers into surrendering their Google '
'credentials. The attack sends fake copyright infringement '
'notices that closely mimic official Google communications, '
'complete with a 48-hour countdown to appeal creating urgency '
'to bypass scrutiny. The scam leverages publicly available '
'details about legitimate extensions to craft highly '
'personalized fake complaints. Victims are directed to a '
"spoofed 'Chrome Web Store Developer Policy Center' where a "
'fraudulent Google sign-in window harvests credentials. If '
'successful, attackers could hijack developer accounts to '
'distribute malicious updates to thousands of unsuspecting '
'users.',
'impact': {'brand_reputation_impact': 'Potential Damage to Developer and '
'Chrome Web Store Reputation',
'data_compromised': 'Google Account Credentials',
'identity_theft_risk': 'High (Google Account Credentials)',
'operational_impact': 'Potential Distribution of Malicious Updates '
'to Users',
'systems_affected': 'Chrome Extension Developer Accounts'},
'initial_access_broker': {'entry_point': 'Fake Copyright Infringement Notices '
'(Email)',
'high_value_targets': 'Chrome Extension Developers'},
'lessons_learned': 'Developers should verify notices directly through '
'official channels, avoid clicking links in unsolicited '
'emails, and enable two-factor authentication (preferably '
'with hardware keys).',
'motivation': 'Credential Theft, Malicious Software Distribution',
'post_incident_analysis': {'corrective_actions': 'Enhanced Verification for '
'Copyright Notices, '
'Developer Education on '
'Phishing Risks, '
'Multi-Factor Authentication '
'Enforcement',
'root_causes': 'Social Engineering, Trust '
'Exploitation, Urgency Tactics, '
'Spoofed Login Pages'},
'recommendations': ['Verify notices directly through the Chrome Web Store '
'dashboard',
'Avoid clicking links in unsolicited emails',
'Enable two-factor authentication (preferably with '
'hardware keys)',
'Reset Google password if compromised',
'Revoke active sessions',
'Audit extensions for unauthorized changes'],
'references': [{'source': 'Malwarebytes'}],
'response': {'communication_strategy': 'Advisories to Developers (Verify '
'Notices via Chrome Web Store '
'Dashboard, Avoid Clicking Links in '
'Unsolicited Emails, Enable Two-Factor '
'Authentication)',
'remediation_measures': 'Password Reset, Revoke Active Sessions, '
'Audit Extensions for Unauthorized '
'Changes',
'third_party_assistance': 'Malwarebytes (Incident Discovery)'},
'title': 'Sophisticated Phishing Campaign Targets Chrome Extension Developers '
'with Fake Copyright Notices',
'type': 'Phishing',
'vulnerability_exploited': 'Social Engineering (Trust Exploitation, Urgency '
'Tactics)'}