Polymorphic Chrome Extensions Impersonate Password Managers to Steal Credentials

A newly discovered class of malicious browser extensions, dubbed polymorphic extensions, can impersonate legitimate extensions such as password managers in real time, tricking users into handing over sensitive credentials.

Security researchers at SquareX Labs uncovered this technique, which allows attackers to clone any installed extension’s icon, interface, and functionality while temporarily disabling the legitimate version. The attack targets popular Chromium-based browsers, including Google Chrome and Microsoft Edge, posing a serious risk to users relying on extensions for password management, financial transactions, and other sensitive tasks.

Targeting Chrome extensions

The attack is carried out in four main phases: distribution, reconnaissance, impersonation, and exploitation.

Phase 1: Infiltration and Social Engineering

Attackers first distribute the polymorphic extension by disguising it as a useful tool — such as an AI-powered assistant or marketing software — on the Chrome Web Store. Victims are tricked into installing and pinning the extension through social engineering techniques, such as promotions on social media or fake recommendations. To maintain legitimacy, the extension initially functions as advertised, performing benign tasks until the next phase is triggered.

Phase 2: Identifying a Target Extension

Once installed, the polymorphic extension begins searching for valuable targets among the user’s existing browser extensions. Since direct access to other extensions is restricted by Chrome’s security policies, attackers use alternative methods, including:

1. Chrome Management API Exploitation – This API, intended for administrative control over installed extensions, can be misused to determine which extensions are present.
2. Web Resource Hitting – The extension injects scripts into webpages to search for unique assets (e.g., icons, script files) associated with well-known extensions, such as 1Password or MetaMask.

If a high-value target is detected, the malicious extension remains dormant until the right moment to impersonate it.

Phase 3: Impersonation and Data Theft

When the victim attempts to use their legitimate extension — for example, by clicking on their password manager to autofill credentials — the polymorphic extension executes its attack:

• Temporarily disables the real extension, hiding its pinned icon.
• Replaces it with an identical-looking fake version, tricking the victim into interacting with it.
• Displays a login prompt identical to the original extension, requesting credentials.
• Sends the stolen credentials to an attacker-controlled server.
• Re-enables the legitimate extension, making it appear as if nothing unusual occurred.

Since the attack is triggered contextually — only activating when the victim attempts to use a specific extension — it remains undetected during routine security scans.

Mitigating the threat

Polymorphic extensions exploit visual deception, tricking users who rely on pinned extension icons to identify trusted tools. Even if a user inspects their installed extensions list, there is no easy way to correlate listed extensions with their pinned counterparts. Furthermore, all the permissions used in this attack (activeTab, scripting, chrome.management) are considered medium-risk by Chrome, making them less likely to be flagged during security reviews.

Since this attack leverages legitimate browser functionalities, there is no simple patch to prevent it. However, SquareX has proposed several countermeasures for Google Chrome, including restricting sudden extension icon and HTML changes or introducing user notifications when such changes occur. Also, permission monitoring for extensions requesting access to sensitive APIs should be enhanced to prevent this type of abuse.