Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates
Essential information
- Published
- 30/06/2026 14:07
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- browser extension chrome web store clipboard stealer credential theft firefox add-ons free vpn by vpn go staged updates supply chain vpn go: free vpn vpn impersonation
- Related entities
- 19 indicators, 10 observables, 8 techniques (mitre), 2 malware
Description
Malicious browser extensions distributed through Chrome Web Store and Firefox Add-ons marketplaces posed as free VPN services while secretly stealing clipboard data. The Chrome extension, with 146 users, and Firefox extension, with 3,499 users, initially functioned as proxy tools but later incorporated clipboard theft through staged updates. Chrome versions 1.1 onwards and Firefox version 1.3.3 onwards continuously monitored clipboard contents every 500-1500 milliseconds, capturing passwords, API keys, cryptocurrency addresses, and authentication tokens. Stolen data was chunked, tagged with session identifiers, and exfiltrated via HTTP to attacker-controlled infrastructure at multiple IP addresses. Both extensions shared code patterns, infrastructure, and exfiltration endpoints despite appearing as separate products, indicating coordinated malicious operations behind legitimate-appearing privacy tools.