Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

One Million Exposed to Adware via Hijacked Chrome Extension

Over one million users were exposed to adware after the developer of a highly popular Chrome extension fell victim to a phishing attack.

Over one million users were exposed to adware after the developer of a highly popular Chrome extension fell victim to a phishing attack.

The incident happened on August 1, when Chris Pederick, Director of Engineering at Bleacher Report, exposed his developer credentials after clicking on a link received via a phishing email. The result was that attackers accessed his account and pushed a modified version of the Web Developer Chrome extension.

Soon after the malicious extension version (v0.4.9) began reaching its one-million-strong userbase, people started complaining about its new malicious behavior, which involved inserting ads into visited sites. Early next day, the developer was able to upload a new version (v0.5) of the extension to remove the malicious code.

The developer notes that only the Chrome version of Web Developer was compromised, and that the Firefox and Opera versions aren’t affected. He encourages the extension’s Chrome users to update to version 0.5 as soon as possible.

“I am still looking into exactly what the malicious code was doing, but it is strongly advised that if you had Web Developer for Chrome installed that you change your password to any site that you logged into on Wednesday, August 2nd as a precaution, particularly Cloudflare which looks as though it may have been explicitly targeted. It has also been suggested that Cloudflare users revoke their API key if they visited the Cloudflare dashboard yesterday as this may have been compromised as well,” the developer says.

Pederick explains that on August 1 at 9.25 AM PDT, he received an email claiming to come from Google, informing him that there are some issues with his extension and the Chrome Store policies. He clicked on the link in the email and logged into his developer account almost immediately.

He discovered that the email was bogus and that he fell victim to an attack only the next day at 6:30 AM PDT, when he logged back into the account and changed the password. By 9.15 AM PDT, the clean version (v0.5) of Web Developer was already live in the Chrome store.

“With the compromised version of the extension now replaced in the store, I have been working on replying to everyone who tweeted or emailed me advising them to upgrade to version 0.5 ASAP. I have also informed Google of what happened, although there is not an obvious right way to report this and thus far I have not heard from them,” Pederick also notes.

The developer says that, in addition to changing the password for the compromised account, he also enabled two-factor authentication. He is still looking into the impact of the malicious code.

As it turns out, Web Developer was only one Chrome extension cybercriminals hijacked recently to infest with adware. Last week, a member of the Copyfish extension team received a similar phishing email and fell to the trick. This eventually resulted in attackers pushing an updated (and malicious) version of the extension, which too started to insert ads/spam into websites, just as it happened with Web Developer.

The attack happened on July 28 and the update was pushed the next day. On July 30, the developers noticed the malicious behavior and logged into their account, but noticed that the actors had moved the extension to their own account. Google moved Copyfish back to the original developers’ account on August 1, the developers reveal.

With two popular Chrome extensions targeted by similar phishing emails within several days of each other, chances are that more similar attacks are brewing.

Related: Chrome Users Targeted in Malware Campaign

Related: Google Tightens Security Rules for Chrome Extensions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.