Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer, offering attackers a way to push malware to downstream customers, inject arbitrary code, and harvest sensitive data.
pull down to refresh
pull down to refresh
Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer, offering attackers a way to push malware to downstream customers, inject arbitrary code, and harvest sensitive data.
There have been reports of extension authors getting "buyout offers" on HN. In one case I remember the author saying he informed the would be buyer that he never made any money from his extension, never tried to market it, and didn't think anyone would ever pay anything for it.
The buyer said none of that mattered as was only interested "how big your install footprint is..."
The author was confused but figured that the buyer had some plan to monetize it so sold it for $75-100k. Day he turned over the git repo to the project he saw that most of the dependencies had been replaced with dubious replacements and it dawned on him what had happened....
Same situation for pypi and npm library authors....software supply chain attacks are a big problem and it will probably only get worse due to LLMs