A chilling new threat has emerged in the world of cybersecurity, targeting unsuspecting users of Chromium-based browsers like Google Chrome and Microsoft Edge. Dubbed “polymorphic extensions,” these malicious browser add-ons have the ability to impersonate trusted tools — such as password managers, crypto wallets, or even banking apps — putting sensitive data and financial assets at risk. A recent investigation by SquareX’s research team has uncovered how these sneaky extensions operate, exploiting both human trust and legitimate browser functionalities to devastating effect.
Picture this: you click the familiar icon of your password manager to log into an account, only to hand over your credentials to a near-perfect imposter unknowingly. According to SquareX Labs, polymorphic extensions can replicate the appearance and behavior of legitimate extensions down to the pixel, including their icons, popups, and workflows. They even temporarily disable the real extension to avoid detection, leaving users none the wiser as their login details are siphoned off to attackers. The research demonstrates this attack using 1Password as an example, but the vulnerability extends to any extension that serves as a gateway to valuable information.
The attack unfolds in four calculated phases. First, attackers disguise the polymorphic extension as a harmless tool — say, an AI marketing assistant — and publish it on the Chrome Web Store. They convince users to install and pin it to their browser toolbar through social engineering tactics like phishing emails or social media lures. The extension then lies in wait, functioning as advertised to avoid suspicion. In phase two, it identifies high-value targets among the user’s installed extensions using techniques like “web resource hitting” — a stealthy method that detects unique files associated with tools like 1Password or crypto wallets.
Once a target is locked in, phase three kicks off. The extension morphs into a doppelgänger of the chosen tool at a strategic moment — such as when a user tries to log into a service like Salesforce. It disables the legitimate extension, swaps in its identical icon, and prompts the user to “re-login” via a flawless replica of the target’s interface. Credentials entered here go straight to the attacker’s server. Afterward, the extension reverts to its original form and reactivates the real tool, which completes the login process seamlessly — leaving the victim oblivious to the breach. In the final phase, attackers wield the stolen credentials to plunder password vaults, transfer cryptocurrencies, or infiltrate corporate accounts.
What makes this attack so insidious is its reliance on human instincts. “People trust the visual cues of pinned extension icons,” SquareX researchers note, pointing out that even tech-savvy users would struggle to spot the deception. Worse, the APIs powering this attack — like Chrome Management and Scripting — are classified as “medium risk” by Chrome and are widely used by legitimate extensions, making them unlikely to raise red flags during Chrome Store audits.
SquareX has alerted Google to this vulnerability, though a fix isn’t straightforward since the attack exploits intended browser features. They’ve urged Chrome to ban sudden icon or HTML changes by extensions or at least notify users when such shifts occur. For now, the burden falls on users and organizations to protect themselves. SquareX recommends adopting browser-native security tools that monitor extension behavior in real-time, rather than relying solely on permissions or static code checks. Their own Browser Detection and Response solution, for instance, uses AI-driven static and dynamic analysis to spot malicious intent, alongside granular policies and risk scoring to flag suspicious extensions.
The takeaway? Browser extensions, once seen as handy productivity boosters, are now a potential Trojan horse. With polymorphic extensions lurking in plain sight, users must exercise caution — verifying extension sources, scrutinizing permissions, and leaning on advanced security tools to stay one step ahead of this shape-shifting threat.
Check out the video below:
