Breaking down a supply chain attack leveraging a malicious Google Workspace OAuth app

In late 2024 attackers executed a supply-chain campaign targeting Chrome extension developers by tricking them into consenting to a malicious Google OAuth app named "Privacy Policy Extension" that requested the chromewebstore scope. With that permission the adversary could modify and publish extensions in the Chrome Web Store; the compromised extensions were designed to harvest session cookies and authentication tokens (notably for Facebook Ads accounts), impacting over 2.6 million users. The report models detection and remediation steps using Google Workspace audit events.