Targeted supply chain attack against Chrome browser extensions

Sekoia documents a December 2024 supply-chain campaign where attackers used targeted spearphishing against Chrome extension developers to authorize a malicious OAuth application, enabling the adversary to push compromised updates to roughly a dozen extensions that potentially impacted hundreds of thousands of users; the injected JavaScript fetched remote configurations and exfiltrated API keys, session cookies and other tokens (notably for ChatGPT and Facebook Business), and the report includes detailed IoCs, attacker infrastructure mappings, and remediation steps.