The extension had 50,000 users. It was the attacker’s.

The scenario:

An employee installed a PDF viewer extension from the Chrome Web Store. 50,000 users. 4.5-star rating. Looked legitimate. 

The extension requested permission to "read and change all your data on all websites." Nobody reads permission prompts. The extension worked as advertised. It also copied every form submission, login credential, and page visit to an external server. 

The attack:

STAGE 1: EXTENSION CREATION

Attacker creates a functional PDF viewer extension with legitimate features.

Publishes it on the Chrome Web Store with fake reviews and downloads.

Extension requests broad permissions: tabs, webRequest, all URLs.

Chrome Web Store review process approves the extension.

STAGE 2: DATA COLLECTION

Extension injects JavaScript into every page the user visits.

Captures form submissions including login credentials, search queries, and financial data.

Monitors clipboard for copied passwords and sensitive text.

Sends all captured data to an attacker-controlled API endpoint.

STAGE 3: CREDENTIAL HARVESTING

Extension captures the employee’s credentials for 23 internal and external services.

Includes: M365, banking portal, PSA tool, RMM console, and client portals.

Attacker now has valid credentials for the MSP’s management tools.

Access is obtained without triggering any security alerts.

STAGE 4: SUPPLY CHAIN RISK

Attacker uses harvested RMM credentials to access client environments.

Deploys a keylogger to 3 client machines via the RMM tool.

Captures additional credentials from client staff.

Attack remains active for 6 weeks before the extension is flagged by Google.

What stopped it:

Google’s automated analysis detected the data exfiltration behaviour and removed the extension from the Chrome Web Store. Affected users received a notification, but by then the credentials had been harvested.