Cybercriminal groups systematically purchased popular Chrome extensions from legitimate developers in 2024-2025, then pushed malicious updates that turned productivity tools into credential-stealing malware. Notable victims include Cyberhaven, VPNCity, and Parrot Talks, affecting millions of users. The attack pattern exploits Chrome's automatic update mechanism, excessive extension permissions, and Google's lack of oversight on ownership transfers. For enterprises, compromised extensions can harvest SSO tokens, cloud credentials, and internal tool access. The post outlines immediate audit steps for individuals, enterprise governance controls (allowlists, MDM policies, monitoring), and calls on Google to implement mandatory ownership transfer reviews, enhanced permission models, and behavioral monitoring.
Table of contents
What Actually Happened: The Acquisition Attack PatternWhy This Is More Dangerous Than Traditional MalwareWhy Google Isn't Stopping ThisThe Enterprise Security DisasterWhat Individuals Should Do Right NowWhat Enterprises Must DoThe Broader Supply Chain Security LessonWhat Actually Needs to ChangeThe Uncomfortable TruthThe Bottom LineKey TakeawaysSort: