Hidden in Plain Sight
Following a malicious extension to uncover a multi-extension campaign
Browser extensions remain one of the most underestimated entry points for attackers, and this week's case study proves exactly why. In our latest blog article, we outline how a routine analysis of a single suspicious extension quickly escalated into something bigger: a coordinated, multi-extension campaign designed to steal session data from crypto traders.
🔗 Following the Trail
It started with a single flag. Our Extension Analysis Framework detected a suspicious background script in Axiom Enhancer — an extension for crypto traders that had passed Chrome Web Store review without issue.
That flag led us to a second crypto trading extension, Photon Bot, with similar code patterns. Inspecting its public metadata revealed a third, implying a coordinated campaign designed to exfiltrate session data to attacker-controlled servers.
Although all three have been removed from the Chrome Store, users who installed them before removal may have already been compromised.
⚠️What This Means for Your Organization
If a coordinated exfiltration campaign can pass Chrome's review and remain publicly available, so can extensions targeting your browser sessions, SaaS apps or identity providers.
Recommended by LinkedIn
Any extension your employees install is an attack surface, and deeper analysis is the only way to close a gap that the browser vendors themselves haven't solved.
🔥Enter SquareX's Extension Analysis Framework
Unlike Chrome Store's security audits, SquareX takes a 3-layer approach to extension analysis — Metadata Analysis, Advanced Static Code Analysis and Dynamic Analysis, allowing a more holistic view of an extension’s security risk.
Download our Browser Extensions Whitepaper to learn about managing extension security risk and how SquareX can help 👇🏻
Pioneering the industry’s first Browser Detection and Response solution
Visit sqrx.com to learn more about our Browser Detection and Response solution, or contact our team at founder@sqrx.com to discuss your browser security requirements.
Secure any browser, any device.