Web Developer Chrome extension shipped malware

Web Developer was one of the legitimate Chrome extensions affected by the 2017 developer-account phishing spree. Attackers used stolen Chrome Web Store credentials to publish a malicious update through the official extension channel.

The affected release was Web Developer 0.4.9. This was not a typosquat or a cloned listing; the attack used the real Chrome Web Store extension account, so existing users received the hostile build through the normal update mechanism.

The malicious update loaded attacker-controlled JavaScript associated with the broader campaign. Reporting linked the activity to ad substitution, redirect chains, and credential-theft-capable behavior across several hijacked extensions.

This leaf record preserves the Web Developer version and store distribution boundary. The campaign record carries the shared phishing domains, redirect infrastructure, and cross-extension behavior.

Motive

Financial Gain

Attribution

Group

Cause

Phishing

Transitive

No

Actor

Cybercriminal

User Impact

1500000

• domainclick.rdr11.top
• domainchromedevelopment.site
• domainlogin.chromeextensions.info
• domainchromeextensions.info
• domainwd7bdb20e4d622f6569f3e8503138c859d.win
• domainsearchtab.win
• domainredirect2.top
• domainbrowser-updates.info
• domainpartner-net.men
• urlhttp://partner-net[.]men/code/pid/973820_BNX.js?rev=133

• Chrome extension developers under a barrage of phishing attacksbleepingcomputer.com
• Chrome extension developers under attacka9t9.com
• Threat actor goes on a Chrome extension hijacking spreeproofpoint.com
• Keeping our users safeblog.cloudflare.com
• Eight Chrome Extensions Hijacked to Deliver Malicious Code to 4.8 Million Usersbleepingcomputer.com