Two browser extensions masquerading as free VPN services were transformed into clipboard stealers through malicious updates.
The Chrome and Firefox add-ons retained working proxy functionality to appear legitimate while secretly monitoring copied data and transmitting it to attacker-controlled servers.
Socket reports the two extensions operate under the VPN Go: Free VPN branding. At the time of the investigation, the Chrome extension had 146 users on the Chrome Web Store, while the Firefox version had 3,499 users on Mozilla Add-ons. Socket said it has reported both extensions to Google and Mozilla for review and removal.
The Chrome extension initially appeared benign. Version 1.0, released on December 22, 2025, functioned solely as a proxy extension. The malicious functionality first appeared in version 1.1, published on May 31, 2026, when the developer added the clipboardRead permission and a content script that executed on every website.
The new code polled the clipboard every 500 milliseconds, ignored duplicate entries, split copied text into roughly 1,000-character chunks, generated a session identifier, and passed the data to a background service worker for exfiltration.
Clipboard stealers are particularly effective because users routinely copy passwords, MFA codes, API keys, OAuth tokens, cloud credentials, cryptocurrency wallet addresses, and recovery phrases. By abusing browser permissions rather than exploiting the operating system, attackers can capture these secrets with little user visibility.
The Firefox extension followed the same pattern. Versions through 1.3.2 behaved as ordinary proxy extensions, but version 1.3.3 introduced clipboard monitoring and exfiltration.
Unlike Chrome, which used a content script and background messaging, Firefox implemented the entire clipboard theft routine in its background script, polling the clipboard every 1.5 seconds before uploading newly copied text to the attacker's infrastructure.
Socket reports that both extensions share the same infrastructure, use nearly identical clipboard collection and exfiltration logic, and the Chrome package even contains Firefox-specific configuration data, including the Firefox extension ID, suggesting a common codebase or build process.
The researchers noted that both extensions could retrieve proxy locations, store proxy credentials, and route browser traffic through remote servers. This legitimate functionality helps build trust and provides a convincing reason for the extensive browser permissions required by the extensions.
Socket recommends users immediately remove VPN Go: Free VPN from Chrome and Free VPN by VPN GO from Firefox. Any passwords, API keys, OAuth tokens, cloud credentials, cryptocurrency recovery material, or other sensitive information copied while either extension was installed should be considered compromised.
Leave a Reply