App marketplaces and browser extension stores are increasingly known for allowing criminals to publish malicious software. The most recent example comes from the Chrome Web Store.
Researchers at the cybersecurity firm Socket discovered a malicious Chrome extension that was published on the store a year ago, and it remains live despite a takedown request being sent at least a couple of days ago.
According to Socket, the malicious extension, Safery, is disguised as an Ethereum (ETH) wallet while hiding a backdoor. It exfiltrates seed phrases, a combination of 12–24 words that give access to the wallet, by encoding them into addresses on the Sui (SUI) blockchain and broadcasting microtransactions from a threat actor-controlled Sui wallet.
"By decoding the recipients, the threat actor reconstructs the original seed phrase and can drain affected assets. The mnemonic leaves the browser concealed inside normal-looking blockchain transactions," Socket said.
Meanwhile, when looking for an ETH wallet on the Chrome Web Store, Safery is displayed as the fourth result, despite not being rated, and is placed among other extensions with higher than 4-star rankings.
What's more, as the extension initially appears to be a standard Ethereum wallet, "for many users, that behavior and the reassuring marketing would be enough to entrust it with their seed phrase," the researchers emphasized.
Curious what others think about this story? Contribute your thoughts to the debate below.
They urged users to rely only on trusted wallet extensions with established security track records and to install them from verified publisher pages rather than search results or ads.
"Unpack and scan extensions for mnemonic encoders, synthetic address generators, hardcoded seeds, and signing code unrelated to stated features. Block any extension that writes on-chain during wallet import or creation," they added.
"By decoding the recipients, the threat actor reconstructs the original seed phrase and can drain affected assets. The mnemonic leaves the browser concealed inside normal-looking blockchain transactions,"
Socket said.
Meanwhile, in a recent separate report, another cybersecurity company, Bolster, said it had found "a compact but effective" JavaScript-based scam campaign.
Researchers flagged a spike in emails pushing a "secret profit trick" or "zero-day" for Swapzone, a crypto exchange aggregator. Via these emails, scammers are trying to trick potential victims into pasting a single javascript: snippet into their browser address bar, which allows the criminals to drain a user's crypto wallet.
"Defenders should focus on detection at both the distribution (phishing) and execution (DOM tampering) layers, and users must treat any ad-hoc JavaScript execution as a high-risk action," Bolster urges.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked