216.73.217.139

Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates

· Published 30/06/2026 14:07

Export JSON

Essential information

Published
30/06/2026 14:07
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
browser extension chrome web store clipboard stealer credential theft firefox add-ons free vpn by vpn go staged updates supply chain vpn go: free vpn vpn impersonation
Related entities
19 indicators, 10 observables, 8 techniques (mitre), 2 malware

Description

Malicious browser extensions distributed through and Firefox Add-ons marketplaces posed as free VPN services while secretly stealing clipboard data. The Chrome extension, with 146 users, and Firefox extension, with 3,499 users, initially functioned as proxy tools but later incorporated clipboard theft through staged updates. Chrome versions 1.1 onwards and Firefox version 1.3.3 onwards continuously monitored clipboard contents every 500-1500 milliseconds, capturing passwords, API keys, cryptocurrency addresses, and authentication tokens. Stolen data was chunked, tagged with session identifiers, and exfiltrated via HTTP to attacker-controlled infrastructure at multiple IP addresses. Both extensions shared code patterns, infrastructure, and exfiltration endpoints despite appearing as separate products, indicating coordinated malicious operations behind legitimate-appearing privacy tools.

External references