The Web Developer Chrome extension briefly contained malicious code after strangers gained access to the developer’s Gmail account. An update is now available in which the code has been removed. The extension was infected for about three hours.
Developer Chris Pederick warned on Twitter that his extension had been provided with a malicious update after unknown persons took over his account via phishing. The version with the modified code was 0.4.9; Pederick has since released version 0.5 which he believes is safe.
The extension in question has about 1 million users. The Firefox extension is not affected, the developer said. He shared an example of the malicious code he encountered in the Chrome extension. It seems to be specifically targeting Cloudflare APIs, but it’s unclear whether that was also the case with Web Developer. There were reportedly no signs of passwords being intercepted, but users did report seeing ads.
Earlier this week, the developers behind the Chrome extension CopyFish warned that something similar had happened to them. On Friday, they also fell victim to a phishing attempt, which resulted in their developer account password falling into the wrong hands. After that, the extension was moved to another account by unknown persons and the software spread spam and adware. The extension is now back in the hands of its original owners, but Google has revoked the developer account and the extension is no longer available.
Hacker News reported that other Chrome extensions were also exhibiting suspicious behavior, including User Agent Switcher, which is also being developed by Pederick. Popular extensions are an attractive target for malicious parties because they can reach a large number of users.